Date: Mon, 07 Jul 2014 12:56:47 +0200 From: Francesco Chicchiriccò <ilgrosso@...che.org> To: user@...cope.apache.org, dev@...cope.apache.org, announce@...che.org, "security@...che.org" <security@...che.org>, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, oss-security@...ts.openwall.com Subject: [SECURITY] CVE-2014-3503 Apache Syncope -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2014-3503: Insecure Random implementations used to generate passwords in Apache Syncope Severity: Major Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions of Apache Syncope 1.1.x prior to 1.1.8 'Ad libitum'. The 1.0.x releases are not affected. Description: A password is generated for a user in Apache Syncope under certain circumstances, when no existing password is found. However, the password generation code is relying on insecure Random implementations, which means that an attacker could attempt to guess a generated password. This has been fixed in revision: http://svn.apache.org/viewvc?view=revision&revision=1596537 Migration: Syncope 1.0.x users are not affected by this issue. Syncope 1.1.x users should upgrade to 1.1.8 'Ad libitum' as soon as possible. References: http://syncope.apache.org/security.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJTunsUAAoJEGe/gLEK1TmDj4AH/05J9ZOB/gyem18F9MTcG+PB tuX7EGemHCU+fyKeTetyGdhzZzdNquMA3mR4UXOEKH1Fok4LvkBWF+BoKMSY8DgY vtWcZUfdJFeUd1XpdUrW0D/GEbbIdmijkbVoAZ3703RMpRiDBiVBkaBr/tjC6tuf WUoBueRmNTkInBQhabaNYXvC0vyPA5ARhu1CprJ5QpA3aFoIEaVdlJTd+Mg58vJS tlwoyGIUEUY/pusBKaZDkTVAJhrOS9b5atjlqCPlT3kGUbQOYgRPPTihX+0CMIY2 JE4yUXR8Kx6tvgebtft2IoUp6oZdR+XqHnEe3Tv1UnSRmlHj6o+tTCBDMmm1YOY= =o17e -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ