Date: Tue, 13 Oct 2015 03:05:28 +1300 From: Amos Jeffries <squid3@...enet.co.nz> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE Request: squid: Nonce replay vulnerability in Digest authentication -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/10/2015 7:04 a.m., cve-assign@...re.org wrote: >> Upstream fixed a security issue in digest_authentication > >> allow disabled user or users with changed password to access the >> squid service with old credentials. > >> http://bazaar.launchpad.net/~squid/squid/3.4/revision/13211 >> http://bazaar.launchpad.net/~squid/squid/3.5/revision/13735 >> http://bugs.squid-cache.org/show_bug.cgi?id=4066 > > As far as we can tell, there is only one vulnerability -- it is > associated with > http://bugs.squid-cache.org/show_bug.cgi?id=4066#c3 > > Use CVE-2014-9749. > > We aren't currently providing any statement about the affected > versions for this vulnerability. It is possible that > http://bugs.squid-cache.org/show_bug.cgi?id=4066#c7 implies that > 3.5.x wasn't ever vulnerable, but that the 3.5.x code was replaced > anyway because it had used too slow of an approach to preventing > the vulnerability. > > 3.5 had the same issue before patching. But additional fix was required for a secondary bug found once the main issue was patched. The released versions I am currently aware of having this issue are: 3.4.4 -> 3.4.11 inclusive 220.127.116.11 -> 3.5.1 inclusive versions older than 3.4.4 have not been investigated yet to my knowledge . Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJWG74oAAoJEGvSOzfXE+nL8UkP/2OTwe7gan2vyikTgEitEXaV sNK6ardED+2cEoyeg0+bQMuOyNzRezH19KSTUpkWQhufABbgOoYvj0oGRAofCWeL uQNs1TWNuZsV9kyaZxtV/O7wvmP3RijxRBE9SFb8wNGF5I7lZltTaP18SCRFgV3j WX5rAhJ+HVbt78dAcwZ75rW/maThk3Q7371cMpLNbrj8pGS5FRb088fmViJpJb2i 7lqbi2Q1yt4C9LLrWL82Ran692U2KJThTIHFvpS44cfdBsjeXfmUPVnpFYcb9KrK Jow+xTvE+CFpHEDxwCZ813FDs/fXDihk1do3frEsKAJeVspcrkHAJu2nIG1sEsot tvOVG/4tL1yeblLthHiwxu2ooobvXo8FAhlzwHdPfdhpwLGMQeSZ9V27BVTnq5XN YpgXBGw60GxjNC2+OBl5zoNu04YykbSXpVLm7UgI3oiQaNcihpWw5SKZ26Ek6CX2 iWnskSYr+sfA1tw2wCAFb8lWRwJg3FlRFUe3oz9mu5jHXhUBE3yhNBKW0QG1gmaZ GijAuTIgZo9BCeZFzgXDqIEbbWTP5p4o6FeavDPHVBl2po0Pi0yyWEP4temv4IeX VK4A2jFkh3N9etY1GHuR3lJjevdiSP6M94KIlgzMhYZ2HwH9Mn99fUyXrhX5RMNF V1UCNUYmRHWVPtYtCtW9 =tjwj -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ