LDAP Overlay Security Patch

Hello!

Thanks to Walter Duncan, a critical security bug in the LDAP overlay’s
account autocreation callback has been fixed. If you’re using this
code, please update it from the wiki:

http://wiki.bestpractical.com/index.cgi?LdapAutocreateAuthCallback

The bug, left unpatched, could allow user accounts to be compromised.
Please update as soon as possible.

Thanks, Walter!

–j
Jim Meyer, Geek at Large purp@acm.org

|Hello!
|
|Thanks to Walter Duncan, a critical security bug in the LDAP overlay’s
|account autocreation callback has been fixed. If you’re using this
|code, please update it from the wiki:
|
| http://wiki.bestpractical.com/index.cgi?LdapAutocreateAuthCallback
|
|The bug, left unpatched, could allow user accounts to be compromised.
|Please update as soon as possible.

Can you tell us which versions of RT this will affect? thanks

Malcolm Herbert This brain intentionally
mjch@mjch.net left blank

Hello!On 6/21/06, Malcolm Herbert rt-users@mjch.net wrote:

On Tue, Jun 20, 2006 at 11:59:34PM -0700, Jim Meyer wrote:
|Thanks to Walter Duncan, a critical security bug in the LDAP overlay’s
|account autocreation callback has been fixed. If you’re using this
|code, please update it from the wiki:
|
| http://wiki.bestpractical.com/index.cgi?LdapAutocreateAuthCallback
|
|The bug, left unpatched, could allow user accounts to be compromised.
|Please update as soon as possible.

Can you tell us which versions of RT this will affect? thanks

This affects any version of RT in which you’ve installed the LDAP
overlay found in the Best Practical wiki at
http://wiki.bestpractical.com/?LDAP. It is particular to the
recently-added Auth callback which autocreates user accounts; that
file (found at http://wiki.bestpractical.com/?LdapAutocreateAuthCallback)
is the only piece of the overlay which must be updated to patchi this
bug.

This bug is not inherent to RT itself; if you haven’t installed the
LDAP overlay referenced above, this is not an issue for you.

Hope that’s more clear!

–j
Jim Meyer, Geek at Large purp@acm.org