CVE-2017-11501
N/A
N/A
Summary
NixOS 17.03 and earlier has an unintended default absence of SSL Certificate Validation for LDAP. The users.ldap NixOS module implements user authentication against LDAP servers via a PAM module. It was found that if TLS is enabled to connect to the LDAP server with users.ldap.useTLS, peer verification will be unconditionally disabled in /etc/ldap.conf.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- http://openwall.com/lists/oss-security/2017/07/20/1
- https://groups.google.com/forum/#%21topic/nix-security-announce/qrDU0KH_ZRk
- https://github.com/NixOS/nixpkgs/issues/27506
References
- http://openwall.com/lists/oss-security/2017/07/20/1
- https://groups.google.com/forum/#%21topic/nix-security-announce/qrDU0KH_ZRk
- https://github.com/NixOS/nixpkgs/issues/27506
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.