Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 18 May 2013 01:21:20 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Russ Allbery <rra@...ian.org>
CC: oss-security@...ts.openwall.com, Salvatore Bonaccorso <carnil@...ian.org>
Subject: Re: CVE Request: WebAuth: Authentication credential
 disclosure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/18/2013 01:15 AM, Russ Allbery wrote:
> Kurt Seifried <kseifried@...hat.com> writes:
> 
>> I did a Google search, there appear to be other 
>> universities/organizations using WebAuth, was the vulnerable
>> version made generally available (e.g. on an ftp site or
>> whatever?).
> 
> Yes, via http://webauth.stanford.edu/ as well as via my personal
> web site. I did issue an advisory (to
> webauth-announce@...ts.stanford.edu).  There were six announced
> (distributed, tagged, etc.) releases that had this vulnerability.
> 
> WebAuth is moderately well-used; it's not as popular as some of the
> other web single sign-on systems, but it's been distributed with
> Debian and Ubuntu for quite a while and I know a fair number of
> sites that use it.
> 
> The time interval between the broken and fixed version was
> relatively short (four months -- we're in the middle of a heavy
> development cycle) and the flaw was only in the central server
> component (which you only run one of within any given organization
> and tend to be conservative about upgrading) as opposed to the
> Apache modules that are installed everywhere, so it's possible that
> no one who met the fairly specific conditions required to trigger
> the bug ever deployed it, but I don't have a way of knowing that
> for certain.

Yeah in this case I'm definitely going count a 4 month window as "made
available" =). Please use CVE-2013-2106 for this issue. With any luck
now all the standard scanners like Nessus will add a test and anyone
vulnerable will find out asap.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRlyvwAAoJEBYNRVNeJnmTIIYQAJH3+2OJqVLC8X5LL1STdUY8
wWiUIEZRdobtXv1aha4JpUY6GQQAThgyWmGnTBvagGEWAo+Q2hsVZCTjaQ8vLaBn
/KbE1qnGDCNtx1+xBKulQ+XOioNS0HuFEdxX0Iw3Rei6XC/87qj1HWzTBhFHWr7s
HzOFFh/JshKnyDpuuvOwELYlNOnV6gJ3mjafootbSZWhN+bkcg5IExrDGu4JJmIy
p0XQOprjaLdQsi2r/USfZqrSrYVEGoD9eTVJ6X+4oTgC0SKzr0XuU9OO+o3JaRSt
Phxqp30vvIRRlezNJ003VXK0AbotWLQ5omdsZNgiLI+PO7vQ/nfEC/vJWPVn4jmj
kqqObjcQk774NYLf/G4yv14cykXf5c+i/HjrEEj8NwjC3M69OJRb6iwWEbq8EPNz
Nrqrej6rvHmsoQ0MCZp/7tXorYnG/LcfDziDcJolpT4Gw/FSVsVdhILwm5hLeUAl
p43236i/e1HNl9sUg1X7GLvPNTZJDQ0bopFr8MSyKJCjCIsMGWOJVDlU8R2LQ3I8
PXkaFQjdTjku1kReA2jp/IahGucxc538bjuvY/pH6iq0+k+yHn6tNQcUw+Y4S6nC
p68WZ6JYYJ5GBRdjRnW/b609SQTnbe20Nk1M/8yA4XS7pYbbiA/g5XBm4HVQ2gzx
cPwj8FpvdVlrYHeVGvSO
=VBZj
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.