svn rev #25514: branches/krb5-1-8/src/plugins/kdb/ldap/libkdb_ldap/
tlyu@MIT.EDU
tlyu at MIT.EDU
Mon Dec 5 17:29:06 EST 2011
http://src.mit.edu/fisheye/changelog/krb5/?cs=25514
Commit By: tlyu
Log Message:
ticket: 7041
subject: Fix failure interval of 0 in LDAP lockout code
version_fixed: 1.8.6
status: resolved
pull up r25480 from trunk, minus a non-applying manpage patch
------------------------------------------------------------------------
r25480 | ghudson | 2011-11-20 00:19:45 -0500 (Sun, 20 Nov 2011) | 13 lines
ticket: 7021
subject: Fix failure interval of 0 in LDAP lockout code
target_version: 1.10
tags: pullup
A failure count interval of 0 caused krb5_ldap_lockout_check_policy to
pass the lockout check (but didn't cause a reset of the failure count
in krb5_ldap_lockout_audit). It should be treated as forever, as in
the DB2 back end.
This bug is the previously unknown cause of the assertion failure
fixed in CVE-2011-1528.
Changed Files:
U branches/krb5-1-8/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
Modified: branches/krb5-1-8/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
===================================================================
--- branches/krb5-1-8/src/plugins/kdb/ldap/libkdb_ldap/lockout.c 2011-12-05 21:38:44 UTC (rev 25513)
+++ branches/krb5-1-8/src/plugins/kdb/ldap/libkdb_ldap/lockout.c 2011-12-05 22:29:06 UTC (rev 25514)
@@ -120,7 +120,7 @@
code = lookup_lockout_policy(context, entry, &max_fail,
&failcnt_interval,
&lockout_duration);
- if (code != 0 || failcnt_interval == 0)
+ if (code != 0)
return code;
if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
More information about the cvs-krb5
mailing list