Skip to content

Commit 3de52af

Browse files
Document brute-force protection for LDAP user binds
Added a section on brute-force protection for LDAP user binds, detailing improvements and thanking contributors.
1 parent 4572910 commit 3de52af

1 file changed

Lines changed: 10 additions & 0 deletions

File tree

docs/release-notes/17-6-0/README.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -155,6 +155,16 @@ This follows the APIv3 standards, and also fixes a bug related to the self link.
155155
<!-- END SECURITY FIXES AUTOMATED SECTION -->
156156
<!--more-->
157157

158+
### Brute-force protection for LDAP user binds
159+
160+
Resulting from a [security advisory report](https://github.com/opf/openproject/security/advisories/GHSA-vhfq-8mwf-g79w), we have improved how user binds are being protected against brute force inside OpenProject.
161+
While we expect production AD systems to perform their own brute force protections, administrators of OpenProject might be confused as the login with an LDAP user bind is transparent, and they might expect our brute force protection settings to apply.
162+
163+
OpenProject 17.6 implements a Rack::Attack throttle rule for internal login mechanisms, also protecting LDAP binds specifically.
164+
We'd like to thank the contributors of this report, [@GEONWOOHAN](https://github.com/GEONWOOHAN), [@QwQP0](https://github.com/QwQP0), [@minnnjuuu](https://github.com/minnnjuuu), and [@dkstjwls06](https://github.com/dkstjwls06)
165+
166+
167+
158168
## Bug fixes and changes
159169

160170
<!-- Warning: Anything within the below lines will be automatically removed by the release script -->

0 commit comments

Comments
 (0)