Comment 25 for bug 1688137
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: PCI-DSS account lock out DoS and account UUID lookup oracle | #25 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
It looks like the change which merged to master last week addresses potential vulnerabilities #2 and #3 from comment #22. Is there any chance for that to be backported to supported stable branches?
As for potential vulnerability #1, I don't really see a viable way to address that, it's the intent of the feature that too many failed logins lock the account. If a deployment considers that feature problematic, they should disable it.