Security vulnerability with net_ldap < 0.60

cschiewek / devise_ldap_authenticatable

Devise Module for LDAP

MIT License

593 stars 359 forks source link

Security vulnerability with net_ldap < 0.60 #205

Closed tobioboye closed 9 years ago

tobioboye commented 9 years ago

The vulnerability scanner database has a vulnerability entry for net_ldap < 0.60, the salt value used for passwords seems to be too weak [1].

There's a patch available with net_ldap >= 0.60 but devise_ldap_authenticatable seems to currently support net_ldap < 0.60. Are there any plans to upgrade the net_ldap version?

[1] https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-ldap/OSVDB-106108.yml

Thanks, Tobi

skaasten commented 9 years ago

See #206

cschiewek commented 9 years ago

Dupe and resolved.