Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 18 May 2013 00:15:06 -0700
From: Russ Allbery <>
Cc:,  Salvatore Bonaccorso <>
Subject: Re: CVE Request: WebAuth: Authentication credential disclosure

Kurt Seifried <> writes:

> I did a Google search, there appear to be other
> universities/organizations using WebAuth, was the vulnerable version
> made generally available (e.g. on an ftp site or whatever?).

Yes, via as well as via my personal web site.
I did issue an advisory (to  There
were six announced (distributed, tagged, etc.) releases that had this

WebAuth is moderately well-used; it's not as popular as some of the other
web single sign-on systems, but it's been distributed with Debian and
Ubuntu for quite a while and I know a fair number of sites that use it.

The time interval between the broken and fixed version was relatively
short (four months -- we're in the middle of a heavy development cycle)
and the flaw was only in the central server component (which you only run
one of within any given organization and tend to be conservative about
upgrading) as opposed to the Apache modules that are installed everywhere,
so it's possible that no one who met the fairly specific conditions
required to trigger the bug ever deployed it, but I don't have a way of
knowing that for certain.

Russ Allbery (               <>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.