Re: Portus, missing LDAP server authentication

[Marcus Meissner <meissner () suse de>]

Hi,

On Sun, Dec 17, 2017 at 02:36:42PM +0100, Raphael Geissert wrote:
> Hi,
>
> Portus 2.2 and older provides LDAP integration for authenticating the
> users. However, in spite of it providing advice on configuring it to
> "to setup LDAP over SSL/TLS"[1], the implementation does not verify
> the server's identity at all.
>
> I'm writing about it here mainly because there appears to be some
> intention of TLS support. Users might expect it to actually provide
> some kind of security.
>
> Interestingly enough, the documentation and the config file comments
> say  'the recommended [method] is "starttls".'[2] I don't know where
> they got that from.
>
> CC'ing SUSE's security team.
>
> I have not yet reported it to the portus team directly, nor requested
> a CVE id (though I'm tempted to request one, to err on the side of
> safety).
>
>
> [1]http://port.us.org/docs/Configuring-Portus.html
> [2]https://github.com/SUSE/Portus/blob/master/config/config.yml#L49
>
> Cheers,

I have opened
https://bugzilla.suse.com/show_bug.cgi?id=1073232
for this issue.

Ciao, Marcus