Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 13 Oct 2015 03:05:28 +1300
From: Amos Jeffries <squid3@...enet.co.nz>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE Request: squid: Nonce replay vulnerability
 in Digest authentication

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/10/2015 7:04 a.m., cve-assign@...re.org wrote:
>> Upstream fixed a security issue in digest_authentication
> 
>> allow disabled user or users with changed password to access the 
>> squid service with old credentials.
> 
>> http://bazaar.launchpad.net/~squid/squid/3.4/revision/13211 
>> http://bazaar.launchpad.net/~squid/squid/3.5/revision/13735 
>> http://bugs.squid-cache.org/show_bug.cgi?id=4066
> 
> As far as we can tell, there is only one vulnerability -- it is 
> associated with 
> http://bugs.squid-cache.org/show_bug.cgi?id=4066#c3
> 
> Use CVE-2014-9749.
> 
> We aren't currently providing any statement about the affected 
> versions for this vulnerability. It is possible that 
> http://bugs.squid-cache.org/show_bug.cgi?id=4066#c7 implies that 
> 3.5.x wasn't ever vulnerable, but that the 3.5.x code was replaced
>  anyway because it had used too slow of an approach to preventing 
> the vulnerability.
> 
> 

3.5 had the same issue before patching. But additional
fix was required for a secondary bug found once the main issue was
patched.

The released versions I am currently aware of having this issue are:
 3.4.4 -> 3.4.11 inclusive
 3.5.0.1 -> 3.5.1 inclusive

versions older than 3.4.4 have not been investigated yet to my knowledge
.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJWG74oAAoJEGvSOzfXE+nL8UkP/2OTwe7gan2vyikTgEitEXaV
sNK6ardED+2cEoyeg0+bQMuOyNzRezH19KSTUpkWQhufABbgOoYvj0oGRAofCWeL
uQNs1TWNuZsV9kyaZxtV/O7wvmP3RijxRBE9SFb8wNGF5I7lZltTaP18SCRFgV3j
WX5rAhJ+HVbt78dAcwZ75rW/maThk3Q7371cMpLNbrj8pGS5FRb088fmViJpJb2i
7lqbi2Q1yt4C9LLrWL82Ran692U2KJThTIHFvpS44cfdBsjeXfmUPVnpFYcb9KrK
Jow+xTvE+CFpHEDxwCZ813FDs/fXDihk1do3frEsKAJeVspcrkHAJu2nIG1sEsot
tvOVG/4tL1yeblLthHiwxu2ooobvXo8FAhlzwHdPfdhpwLGMQeSZ9V27BVTnq5XN
YpgXBGw60GxjNC2+OBl5zoNu04YykbSXpVLm7UgI3oiQaNcihpWw5SKZ26Ek6CX2
iWnskSYr+sfA1tw2wCAFb8lWRwJg3FlRFUe3oz9mu5jHXhUBE3yhNBKW0QG1gmaZ
GijAuTIgZo9BCeZFzgXDqIEbbWTP5p4o6FeavDPHVBl2po0Pi0yyWEP4temv4IeX
VK4A2jFkh3N9etY1GHuR3lJjevdiSP6M94KIlgzMhYZ2HwH9Mn99fUyXrhX5RMNF
V1UCNUYmRHWVPtYtCtW9
=tjwj
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.