pali pushed to cherokee (f21). "Resolves bz 1114461 - CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds (..more)"

[notifications at fedoraproject.org]

>From 0a919b50cf5387f559abcad605851fcbb36da91a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Lis=C3=BD?= <pali at fedoraproject.org>
Date: Wed, 15 Apr 2015 16:08:22 +0200
Subject: Resolves bz 1114461 - CVE-2014-4668 cherokee: authentication bypass
 when LDAP server allows unauthenticated binds

- Resolves bz 1094901 - cherokee: script and/or trigger should not directly enable systemd units
- Resolves bz  959170 - cherokee-worker and cherokee-admin want to use execstack (EL5)

diff --git a/cherokee-1.2.103_CVE-2014-4668.patch b/cherokee-1.2.103_CVE-2014-4668.patch
new file mode 100644
index 0000000..06329b7
--- /dev/null
+++ b/cherokee-1.2.103_CVE-2014-4668.patch
@@ -0,0 +1,13 @@
+diff -uNr cherokee-1.2.103.orig/cherokee/validator_ldap.c cherokee-1.2.103/cherokee/validator_ldap.c
+--- cherokee-1.2.103.orig/cherokee/validator_ldap.c	2013-04-26 19:59:11.000000000 +0200
++++ cherokee-1.2.103/cherokee/validator_ldap.c	2015-04-15 07:57:29.828878580 +0200
+@@ -331,7 +331,8 @@
+ 	/* Sanity checks
+ 	 */
+ 	if ((conn->validator == NULL) ||
+-	    cherokee_buffer_is_empty (&conn->validator->user))
++	    cherokee_buffer_is_empty (&conn->validator->user) ||
++	    cherokee_buffer_is_empty (&conn->validator->passwd))
+ 		return ret_error;
+ 
+ 	size = cherokee_buffer_cnt_cspn (&conn->validator->user, 0, "*()");
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/cherokee.git/commit/?h=f21&id=0a919b50cf5387f559abcad605851fcbb36da91a