diff --git a/CHANGES.rst b/CHANGES.rst index 371f26eb6e..1ce58632b8 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -1,3 +1,16 @@ +Changes in synapse v0.18.3 (2016-11-08) +======================================= + +SECURITY UPDATE + +Explicitly require authentication when using LDAP3. This is the default on +versions of ``ldap3`` above 1.0, but some distributions will package an older +version. + +If you are using LDAP3 login and have a version of ``ldap3`` older than 1.0 it +is **CRITICAL to updgrade**. + + Changes in synapse v0.18.2 (2016-11-01) ======================================= diff --git a/synapse/__init__.py b/synapse/__init__.py index 4e2a592d3d..d366b69dab 100644 --- a/synapse/__init__.py +++ b/synapse/__init__.py @@ -16,4 +16,4 @@ """ This is a reference implementation of a Matrix home server. """ -__version__ = "0.18.2" +__version__ = "0.18.3" diff --git a/synapse/util/ldap_auth_provider.py b/synapse/util/ldap_auth_provider.py index f852e9b037..1b989248fb 100644 --- a/synapse/util/ldap_auth_provider.py +++ b/synapse/util/ldap_auth_provider.py @@ -236,7 +236,8 @@ class LdapAuthProvider(object): value=localpart, base=self.ldap_base ) - conn = ldap3.Connection(server, bind_dn, password) + conn = ldap3.Connection(server, bind_dn, password, + authentication=ldap3.AUTH_SIMPLE) logger.debug( "Established LDAP connection in simple bind mode: %s", conn