Date: Fri, 23 Mar 2018 21:50:00 -0500 From: Daniel Ruggeri <druggeri@...che.org> To: announce@...pd.apache.org, oss-security@...ts.openwall.com, security@...pd.apache.org Subject: CVE-2018-1312: Weak Digest auth nonce generation in mod_auth_digest CVE-2018-1312: Weak Digest auth nonce generation in mod_auth_digest Severity: Low Vendor: The Apache Software Foundation Versions Affected: httpd 2.2.0 to 2.4.29 Description: When generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection. Mitigation: All httpd users should upgrade to 2.4.30 or later. Credit: The issue was discovered by Nicolas Daniels. References: https://httpd.apache.org/security/vulnerabilities_24.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.