Candidate: CVE-2017-14623
PublicDate: 2017-09-20 23:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14623
 https://github.com/go-ldap/ldap/pull/126
 https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66
Description:
 In the ldap.v2 (aka go-ldap) package through 2.5.0 for Go, an attacker may
 be able to login with an empty password. This issue affects an application
 using this package if these conditions are met: (1) it relies only on the
 return error of the Bind function call to determine whether a user is
 authorized (i.e., a nil return value is interpreted as successful
 authorization) and (2) it is used with an LDAP server allowing
 unauthenticated bind.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876404
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [8.1 HIGH]

Patches_golang-github-go-ldap-ldap:
upstream_golang-github-go-ldap-ldap: released (2.5.1-1)
precise/esm_golang-github-go-ldap-ldap: DNE
trusty_golang-github-go-ldap-ldap: DNE
trusty/esm_golang-github-go-ldap-ldap: DNE
vivid/ubuntu-core_golang-github-go-ldap-ldap: DNE
xenial_golang-github-go-ldap-ldap: ignored (end of standard support, was needed)
zesty_golang-github-go-ldap-ldap: ignored (reached end-of-life)
artful_golang-github-go-ldap-ldap: ignored (reached end-of-life)
bionic_golang-github-go-ldap-ldap: not-affected (2.5.1-4)
cosmic_golang-github-go-ldap-ldap: not-affected (2.5.1-4)
disco_golang-github-go-ldap-ldap: not-affected (2.5.1-4)
eoan_golang-github-go-ldap-ldap: not-affected (2.5.1-4)
focal_golang-github-go-ldap-ldap: not-affected (2.5.1-4)
groovy_golang-github-go-ldap-ldap: not-affected (2.5.1-4)
hirsute_golang-github-go-ldap-ldap: not-affected (2.5.1-4)
impish_golang-github-go-ldap-ldap: not-affected (2.5.1-4)
jammy_golang-github-go-ldap-ldap: not-affected (2.5.1-4)
devel_golang-github-go-ldap-ldap: not-affected (2.5.1-4)