Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 13 Oct 2015 03:05:28 +1300
From: Amos Jeffries <squid3@...enet.co.nz>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE Request: squid: Nonce replay vulnerability
 in Digest authentication

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/10/2015 7:04 a.m., cve-assign@...re.org wrote:
>> Upstream fixed a security issue in digest_authentication
> 
>> allow disabled user or users with changed password to access the 
>> squid service with old credentials.
> 
>> http://bazaar.launchpad.net/~squid/squid/3.4/revision/13211 
>> http://bazaar.launchpad.net/~squid/squid/3.5/revision/13735 
>> http://bugs.squid-cache.org/show_bug.cgi?id=4066
> 
> As far as we can tell, there is only one vulnerability -- it is 
> associated with 
> http://bugs.squid-cache.org/show_bug.cgi?id=4066#c3
> 
> Use CVE-2014-9749.
> 
> We aren't currently providing any statement about the affected 
> versions for this vulnerability. It is possible that 
> http://bugs.squid-cache.org/show_bug.cgi?id=4066#c7 implies that 
> 3.5.x wasn't ever vulnerable, but that the 3.5.x code was replaced
>  anyway because it had used too slow of an approach to preventing 
> the vulnerability.
> 
> 

3.5 had the same issue before patching. But additional
fix was required for a secondary bug found once the main issue was
patched.

The released versions I am currently aware of having this issue are:
 3.4.4 -> 3.4.11 inclusive
 3.5.0.1 -> 3.5.1 inclusive

versions older than 3.4.4 have not been investigated yet to my knowledge
.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJWG74oAAoJEGvSOzfXE+nL8UkP/2OTwe7gan2vyikTgEitEXaV
sNK6ardED+2cEoyeg0+bQMuOyNzRezH19KSTUpkWQhufABbgOoYvj0oGRAofCWeL
uQNs1TWNuZsV9kyaZxtV/O7wvmP3RijxRBE9SFb8wNGF5I7lZltTaP18SCRFgV3j
WX5rAhJ+HVbt78dAcwZ75rW/maThk3Q7371cMpLNbrj8pGS5FRb088fmViJpJb2i
7lqbi2Q1yt4C9LLrWL82Ran692U2KJThTIHFvpS44cfdBsjeXfmUPVnpFYcb9KrK
Jow+xTvE+CFpHEDxwCZ813FDs/fXDihk1do3frEsKAJeVspcrkHAJu2nIG1sEsot
tvOVG/4tL1yeblLthHiwxu2ooobvXo8FAhlzwHdPfdhpwLGMQeSZ9V27BVTnq5XN
YpgXBGw60GxjNC2+OBl5zoNu04YykbSXpVLm7UgI3oiQaNcihpWw5SKZ26Ek6CX2
iWnskSYr+sfA1tw2wCAFb8lWRwJg3FlRFUe3oz9mu5jHXhUBE3yhNBKW0QG1gmaZ
GijAuTIgZo9BCeZFzgXDqIEbbWTP5p4o6FeavDPHVBl2po0Pi0yyWEP4temv4IeX
VK4A2jFkh3N9etY1GHuR3lJjevdiSP6M94KIlgzMhYZ2HwH9Mn99fUyXrhX5RMNF
V1UCNUYmRHWVPtYtCtW9
=tjwj
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ