[SECURITY] [DLA 79-1] dokuwiki security update

2014-10-29T14:55:35
ID DEBIAN:DLA-79-1:11B99
Type debian
Reporter Debian
Modified 2014-10-29T14:55:35

Description

Package : dokuwiki Version : 0.0.20091225c-10+squeeze3 CVE ID : CVE-2014-8763 CVE-2014-8764 Debian Bug : 766545

This fixes a possibility of bypasswing the wiki authentication when an Active Directory is used for LDAP authentication. These two CVE are almost the same, one apparently being a superset of the other. They are fixed together.

CVE-2014-8763

DokuWiki before 2014-05-05b, when using Active Directory for LDAP
authentication, allows remote attackers to bypass authentication via a
password starting with a null (\0) character and a valid user name, which
triggers an unauthenticated bind.

CVE-2014-8764

DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP
authentication, allows remote attackers to bypass authentication via a
user name and password starting with a null (\0) character, which triggers
an anonymous bind.

-- ,--. : /) ن Tanguy Ortolo &lt;xmpp:tanguy@ortolo.eu&gt; |-' Debian Developer <irc://irc.oftc.net/Tanguy> _