From announce-return-4672-archive-asf-public=cust-asf.ponee.io@apache.org  Tue Jul 10 12:14:14 2018
Return-Path: <announce-return-4672-archive-asf-public=cust-asf.ponee.io@apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx-eu-01.ponee.io (Postfix) with SMTP id 9E8B3180634
	for <archive-asf-public@cust-asf.ponee.io>; Tue, 10 Jul 2018 12:14:13 +0200 (CEST)
Received: (qmail 81972 invoked by uid 500); 10 Jul 2018 10:14:10 -0000
Mailing-List: contact announce-help@apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:announce-help@apache.org>
List-Unsubscribe: <mailto:announce-unsubscribe@apache.org>
List-Post: <mailto:announce@apache.org>
List-Id: <announce.apache.org>
Delivered-To: mailing list announce@apache.org
Delivered-To: moderator for announce@apache.org
Received: (qmail 81821 invoked by uid 99); 10 Jul 2018 10:13:32 -0000
X-Gm-Message-State: APt69E00Lrilqkp0aRO7ixiDGE8TW8tQnmZgoNiBXzNeuNYNYxo/MkTB
	5WbPDxXssTj/ILdCw958FJ9xislbZjP6NXh/SVU=
X-Google-Smtp-Source: AAOMgpdThzzkwqj8b4y7DSFH6vsLIH5vR1g+nDLSIcWF6xUQfqy59ESe6H5HzUp2+KHeNBDSVGX5+Qs29MeKFMxCxS8=
X-Received: by 2002:a6b:680c:: with SMTP id d12-v6mr19592609ioc.293.1531217610801;
 Tue, 10 Jul 2018 03:13:30 -0700 (PDT)
MIME-Version: 1.0
Reply-To: elecharny@apache.org
From: Emmanuel Lecharny <elecharny@apache.org>
Date: Tue, 10 Jul 2018 12:13:30 +0200
X-Gmail-Original-Message-ID: <CAG8=FRgsDuDkVhUjRHvq9mwvxjcMD3eL2nWhyFDMymd4D=z5nA@mail.gmail.com>
Message-ID: <CAG8=FRgsDuDkVhUjRHvq9mwvxjcMD3eL2nWhyFDMymd4D=z5nA@mail.gmail.com>
Subject: [Annoucement] CVE-2018-1337 Plaintext Password Disclosure in Secured Channel
To: announce@apache.org
Content-Type: multipart/alternative; boundary="000000000000c40a520570a261f7"

--000000000000c40a520570a261f7
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

CVE-2018-1337: Plaintext Password Disclosure in Secured Channel

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected:
Apache LDAP API 1.0.0

Description:
A bug in the way the SSL Filter was setup made it possible for
another thread to use the connection before the TLS layer has been
established, if the connection has already been used and put back
in a pool of connections, leading to leaking any informations
contained in this request (including the credentials when sending
a BIND request)

Mitigation:

Users are urged to use this 1.0.2 version ASAP [1]. There is no impact
in their application, the API remains unchanged.

The previous version (LDAP API 1.0.1) was a workaround for this
problem.

History:
2018-05-15 Original advisory

Credit:
This issue has been reported by Wei Deng (Datastax), the initial
workaround was proposed by Mike Adamson (Datastax) and the further
investigations/tests/verification were conducted by Wei Deng,
Mike Adamson, Jeremiah Kordan (Datastax) and Ben Coverston (Datastax).

Reference:
[1] http://directory.apache.org/api/downloads.html

--=20
Regards,
Cordialement,
Emmanuel L=C3=A9charnywww.iktek.com



--=20
Regards,
Cordialement,
Emmanuel L=C3=A9charny
www.iktek.com

--000000000000c40a520570a261f7
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><pre>CVE-2018-1337: Plaintext Password Disclosure in Secur=
ed Channel

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected:
Apache LDAP API 1.0.0

Description:
A bug in the way the SSL Filter was setup made it possible for
another thread to use the connection before the TLS layer has been
established, if the connection has already been used and put back
in a pool of connections, leading to leaking any informations
contained in this request (including the credentials when sending
a BIND request)

Mitigation:

Users are urged to use this 1.0.2 version ASAP [1]. There is no impact
in their application, the API remains unchanged.

The previous version (LDAP API 1.0.1) was a workaround for this
problem.

History:
2018-05-15 Original advisory

Credit:
This issue has been reported by Wei Deng (Datastax), the initial
workaround was proposed by Mike Adamson (Datastax) and the further
investigations/tests/verification were conducted by Wei Deng,
Mike Adamson, Jeremiah Kordan (Datastax) and Ben Coverston (Datastax).

Reference: <br>[1] <a href=3D"http://directory.apache.org/api/downloads.htm=
l">http://directory.apache.org/api/downloads.html</a><br>=C2=A0<div class=
=3D"gmail-moz-txt-sig">--=20
Regards,
Cordialement,
Emmanuel L=C3=A9charny
<a class=3D"gmail-moz-txt-link-abbreviated" href=3D"http://www.iktek.com">w=
ww.iktek.com</a>

</div></pre><br clear=3D"all"><br>-- <br><div class=3D"gmail_signature">Reg=
ards,<br>Cordialement,<br>Emmanuel L=C3=A9charny<br><a href=3D"http://www.i=
ktek.com" target=3D"_blank">www.iktek.com</a></div>
</div>

--000000000000c40a520570a261f7--