The other day I wrote about a security fix that Apple put into Mac OS X server. Basically Apple removed a checkbox that said “Require Authenticated Binding between Clients and Server”. The original bug was that you couldn’t turn off anonymous LDAP binding which is a security risk if your LDAP server is exposed to the Internet or hackers are on your LAN. Apple’s fix effectively removes the illusion of security as anonymous LDAP binding is still permitted. I’ve re-opened the bug as Apple’s fix is not acceptable from a security point of view.
I’m a bit disappointed with this fix as it took almost 2 years to remove a checkbox which doesn’t even come close to fixing the problem. Nice job, Apple!