Date: Sat, 18 May 2013 00:15:06 -0700 From: Russ Allbery <rra@...ian.org> To: kseifried@...hat.com Cc: oss-security@...ts.openwall.com, Salvatore Bonaccorso <carnil@...ian.org> Subject: Re: CVE Request: WebAuth: Authentication credential disclosure Kurt Seifried <kseifried@...hat.com> writes: > I did a Google search, there appear to be other > universities/organizations using WebAuth, was the vulnerable version > made generally available (e.g. on an ftp site or whatever?). Yes, via http://webauth.stanford.edu/ as well as via my personal web site. I did issue an advisory (to webauth-announce@...ts.stanford.edu). There were six announced (distributed, tagged, etc.) releases that had this vulnerability. WebAuth is moderately well-used; it's not as popular as some of the other web single sign-on systems, but it's been distributed with Debian and Ubuntu for quite a while and I know a fair number of sites that use it. The time interval between the broken and fixed version was relatively short (four months -- we're in the middle of a heavy development cycle) and the flaw was only in the central server component (which you only run one of within any given organization and tend to be conservative about upgrading) as opposed to the Apache modules that are installed everywhere, so it's possible that no one who met the fairly specific conditions required to trigger the bug ever deployed it, but I don't have a way of knowing that for certain. -- Russ Allbery (rra@...ian.org) <http://www.eyrie.org/~eagle/>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.