Date: Sat, 18 May 2013 01:21:20 -0600 From: Kurt Seifried <kseifried@...hat.com> To: Russ Allbery <rra@...ian.org> CC: oss-security@...ts.openwall.com, Salvatore Bonaccorso <carnil@...ian.org> Subject: Re: CVE Request: WebAuth: Authentication credential disclosure -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/18/2013 01:15 AM, Russ Allbery wrote: > Kurt Seifried <kseifried@...hat.com> writes: > >> I did a Google search, there appear to be other >> universities/organizations using WebAuth, was the vulnerable >> version made generally available (e.g. on an ftp site or >> whatever?). > > Yes, via http://webauth.stanford.edu/ as well as via my personal > web site. I did issue an advisory (to > webauth-announce@...ts.stanford.edu). There were six announced > (distributed, tagged, etc.) releases that had this vulnerability. > > WebAuth is moderately well-used; it's not as popular as some of the > other web single sign-on systems, but it's been distributed with > Debian and Ubuntu for quite a while and I know a fair number of > sites that use it. > > The time interval between the broken and fixed version was > relatively short (four months -- we're in the middle of a heavy > development cycle) and the flaw was only in the central server > component (which you only run one of within any given organization > and tend to be conservative about upgrading) as opposed to the > Apache modules that are installed everywhere, so it's possible that > no one who met the fairly specific conditions required to trigger > the bug ever deployed it, but I don't have a way of knowing that > for certain. Yeah in this case I'm definitely going count a 4 month window as "made available" =). Please use CVE-2013-2106 for this issue. With any luck now all the standard scanners like Nessus will add a test and anyone vulnerable will find out asap. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRlyvwAAoJEBYNRVNeJnmTIIYQAJH3+2OJqVLC8X5LL1STdUY8 wWiUIEZRdobtXv1aha4JpUY6GQQAThgyWmGnTBvagGEWAo+Q2hsVZCTjaQ8vLaBn /KbE1qnGDCNtx1+xBKulQ+XOioNS0HuFEdxX0Iw3Rei6XC/87qj1HWzTBhFHWr7s HzOFFh/JshKnyDpuuvOwELYlNOnV6gJ3mjafootbSZWhN+bkcg5IExrDGu4JJmIy p0XQOprjaLdQsi2r/USfZqrSrYVEGoD9eTVJ6X+4oTgC0SKzr0XuU9OO+o3JaRSt Phxqp30vvIRRlezNJ003VXK0AbotWLQ5omdsZNgiLI+PO7vQ/nfEC/vJWPVn4jmj kqqObjcQk774NYLf/G4yv14cykXf5c+i/HjrEEj8NwjC3M69OJRb6iwWEbq8EPNz Nrqrej6rvHmsoQ0MCZp/7tXorYnG/LcfDziDcJolpT4Gw/FSVsVdhILwm5hLeUAl p43236i/e1HNl9sUg1X7GLvPNTZJDQ0bopFr8MSyKJCjCIsMGWOJVDlU8R2LQ3I8 PXkaFQjdTjku1kReA2jp/IahGucxc538bjuvY/pH6iq0+k+yHn6tNQcUw+Y4S6nC p68WZ6JYYJ5GBRdjRnW/b609SQTnbe20Nk1M/8yA4XS7pYbbiA/g5XBm4HVQ2gzx cPwj8FpvdVlrYHeVGvSO =VBZj -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.