Closed satleeixn closed 5 years ago
Since it seems unclear, what problems the bug (1.) causes, what problems a bug-fix will cause and whether a bug-fix is worth the effort, maybe make a branch of the project where you quick-fix the bug.
[pw-pbkdf2.c: new line 70: for(;*p;p++){
]
Remind users, that this branch requires corrected hashes (in hashes using the PBKDF2-schemes all '+'-chars must be replaced by '.'-chars.)
New OpenLDAP instances can then start without the bug.
And (test-)users can decide, whether the bug-fix is worth the effort.
Once you get enough feedback from users, you can then decide how to fix the problem in the master branch.
@satleeixn Could you make PR? I just created issue12 branch. thanks
@hamano Sorry, I'm not a security researcher. I'm just a developer with a dead-line. Maybe you should ask the people from the OpenLDAP project for help. In case you have not much experience with making errors/error fixing, here are some more suggestions what you can do:
We tested the plugin with the one-line-fix above. So far we have no problems:
All in all the issue seems to be mostly harmless if not cosmetic.
I'm sorry for the late response. just merged upstream patch. many thanks.