Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 11 Oct 2015 14:04:57 -0400 (EDT)
From: cve-assign@...re.org
To: huzaifas@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: squid: Nonce replay vulnerability in Digest authentication

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Upstream fixed a security issue in digest_authentication
> 
> allow disabled user or users with changed password to access the squid
> service with old credentials.
> 
> http://bazaar.launchpad.net/~squid/squid/3.4/revision/13211
> http://bazaar.launchpad.net/~squid/squid/3.5/revision/13735
> http://bugs.squid-cache.org/show_bug.cgi?id=4066

As far as we can tell, there is only one vulnerability -- it is
associated with http://bugs.squid-cache.org/show_bug.cgi?id=4066#c3

Use CVE-2014-9749.

We aren't currently providing any statement about the
affected versions for this vulnerability. It is possible that
http://bugs.squid-cache.org/show_bug.cgi?id=4066#c7 implies
that 3.5.x wasn't ever vulnerable, but that the 3.5.x code was replaced
anyway because it had used too slow of an approach to
preventing the vulnerability.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWGqM8AAoJEL54rhJi8gl56YIQAKJDgc+1QONtR6ZCRQ2A2ggw
HAGFBHlouBm0EQjjqegGvrzDvgaYI3T6sjGIpP+raH1vv4sV04oVr+hL9t4D6r9j
injVtZoS6dT2BstB7aaTNusBA3FBQv972x7r89bIxLN3tZluZYIYH8BSUA7LN4om
7w69gFkuPArOC4dT4iSTmKKOBpLBOrgQNdxk3vPGYQ0GSmpPuGLD/kdBu8+y4zJZ
KadGePTQcnk7zk4oXLyAfHSxAhKKAMQzpqdxbqxGTWYGl0q42t/iRwwdC5KJ9zaH
3ZuYz7eRRJSa/VXZ44oE69HxnXvnvgEcN+z+AaR+pZHQKI5keXNEG/gL1+WfVlCO
RgOMU/Fee8ZNaLcuFJzJPLGwASN4IVr0aJ9d0E9KxkO0OwfQf/XBsj8I3h0M9ByL
8zRIf5JR48pOC2v2Ucw9gt8jLG1hPkU1NxRorMsHI0HiaDHMwoZ3Jt7XaQ4NdPob
BJA3KQgGmn+AL2xGNKwY+F5lyKgT63KtF0nBnlk1qellOz7KmGnfO7ZzZ3cNPpl8
YIUfUE2cT259ZiPeciPmmrHdGmmgUKisnBPSDH/0g0KP3m6TQaQDjY+aTMDsasDo
ZGvyxOkwBMd4eio03DILBFc6Wfazh4fH2vRofAO55TTWxWErA6vMuLOCF2PXfKer
YXFt+CdXo1f72pKmM54K
=BHmq
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ