21 Apr
2026
21 Apr
'26
7:59 p.m.
Hi Aki,
thanks for the fast response!
On 2026-04-21 13:46:49, Aki Tuomi via dovecot wrote:
For one, it's documented:
https://doc.dovecot.org/2.4.3/core/config/auth/databases/ldap.html#ldap_base
this is to avoid LDAP injection attack on authentication, CVE-2026-27860
But you're right, it should've been in the 2.4.x page.
ah, I missed to check ldap_base and only checked the *_filter directives' docs. Maybe add that "| safe" note for the *_filter directives too?
Best regards,
Patrick Cernko <pcernko@mpi-klsb.mpg.de> +49 681 9325 5815 Joint Scientific IT and Technical Service Max-Planck-Institute für Informatik & Softwaresysteme