Date: Tue, 13 Oct 2015 03:05:28 +1300 From: Amos Jeffries <squid3@...enet.co.nz> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE Request: squid: Nonce replay vulnerability in Digest authentication -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/10/2015 7:04 a.m., cve-assign@...re.org wrote: >> Upstream fixed a security issue in digest_authentication > >> allow disabled user or users with changed password to access the >> squid service with old credentials. > >> http://bazaar.launchpad.net/~squid/squid/3.4/revision/13211 >> http://bazaar.launchpad.net/~squid/squid/3.5/revision/13735 >> http://bugs.squid-cache.org/show_bug.cgi?id=4066 > > As far as we can tell, there is only one vulnerability -- it is > associated with > http://bugs.squid-cache.org/show_bug.cgi?id=4066#c3 > > Use CVE-2014-9749. > > We aren't currently providing any statement about the affected > versions for this vulnerability. It is possible that > http://bugs.squid-cache.org/show_bug.cgi?id=4066#c7 implies that > 3.5.x wasn't ever vulnerable, but that the 3.5.x code was replaced > anyway because it had used too slow of an approach to preventing > the vulnerability. > > 3.5 had the same issue before patching. But additional fix was required for a secondary bug found once the main issue was patched. The released versions I am currently aware of having this issue are: 3.4.4 -> 3.4.11 inclusive 22.214.171.124 -> 3.5.1 inclusive versions older than 3.4.4 have not been investigated yet to my knowledge . Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJWG74oAAoJEGvSOzfXE+nL8UkP/2OTwe7gan2vyikTgEitEXaV sNK6ardED+2cEoyeg0+bQMuOyNzRezH19KSTUpkWQhufABbgOoYvj0oGRAofCWeL uQNs1TWNuZsV9kyaZxtV/O7wvmP3RijxRBE9SFb8wNGF5I7lZltTaP18SCRFgV3j WX5rAhJ+HVbt78dAcwZ75rW/maThk3Q7371cMpLNbrj8pGS5FRb088fmViJpJb2i 7lqbi2Q1yt4C9LLrWL82Ran692U2KJThTIHFvpS44cfdBsjeXfmUPVnpFYcb9KrK Jow+xTvE+CFpHEDxwCZ813FDs/fXDihk1do3frEsKAJeVspcrkHAJu2nIG1sEsot tvOVG/4tL1yeblLthHiwxu2ooobvXo8FAhlzwHdPfdhpwLGMQeSZ9V27BVTnq5XN YpgXBGw60GxjNC2+OBl5zoNu04YykbSXpVLm7UgI3oiQaNcihpWw5SKZ26Ek6CX2 iWnskSYr+sfA1tw2wCAFb8lWRwJg3FlRFUe3oz9mu5jHXhUBE3yhNBKW0QG1gmaZ GijAuTIgZo9BCeZFzgXDqIEbbWTP5p4o6FeavDPHVBl2po0Pi0yyWEP4temv4IeX VK4A2jFkh3N9etY1GHuR3lJjevdiSP6M94KIlgzMhYZ2HwH9Mn99fUyXrhX5RMNF V1UCNUYmRHWVPtYtCtW9 =tjwj -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.