oss-sec mailing list archives
Re: CVE Request: squid: Nonce replay vulnerability in Digest authentication
From: cve-assign () mitre org
Date: Sun, 11 Oct 2015 14:04:57 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Upstream fixed a security issue in digest_authentication allow disabled user or users with changed password to access the squid service with old credentials. http://bazaar.launchpad.net/~squid/squid/3.4/revision/13211 http://bazaar.launchpad.net/~squid/squid/3.5/revision/13735 http://bugs.squid-cache.org/show_bug.cgi?id=4066
As far as we can tell, there is only one vulnerability -- it is associated with http://bugs.squid-cache.org/show_bug.cgi?id=4066#c3 Use CVE-2014-9749. We aren't currently providing any statement about the affected versions for this vulnerability. It is possible that http://bugs.squid-cache.org/show_bug.cgi?id=4066#c7 implies that 3.5.x wasn't ever vulnerable, but that the 3.5.x code was replaced anyway because it had used too slow of an approach to preventing the vulnerability. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWGqM8AAoJEL54rhJi8gl56YIQAKJDgc+1QONtR6ZCRQ2A2ggw HAGFBHlouBm0EQjjqegGvrzDvgaYI3T6sjGIpP+raH1vv4sV04oVr+hL9t4D6r9j injVtZoS6dT2BstB7aaTNusBA3FBQv972x7r89bIxLN3tZluZYIYH8BSUA7LN4om 7w69gFkuPArOC4dT4iSTmKKOBpLBOrgQNdxk3vPGYQ0GSmpPuGLD/kdBu8+y4zJZ KadGePTQcnk7zk4oXLyAfHSxAhKKAMQzpqdxbqxGTWYGl0q42t/iRwwdC5KJ9zaH 3ZuYz7eRRJSa/VXZ44oE69HxnXvnvgEcN+z+AaR+pZHQKI5keXNEG/gL1+WfVlCO RgOMU/Fee8ZNaLcuFJzJPLGwASN4IVr0aJ9d0E9KxkO0OwfQf/XBsj8I3h0M9ByL 8zRIf5JR48pOC2v2Ucw9gt8jLG1hPkU1NxRorMsHI0HiaDHMwoZ3Jt7XaQ4NdPob BJA3KQgGmn+AL2xGNKwY+F5lyKgT63KtF0nBnlk1qellOz7KmGnfO7ZzZ3cNPpl8 YIUfUE2cT259ZiPeciPmmrHdGmmgUKisnBPSDH/0g0KP3m6TQaQDjY+aTMDsasDo ZGvyxOkwBMd4eio03DILBFc6Wfazh4fH2vRofAO55TTWxWErA6vMuLOCF2PXfKer YXFt+CdXo1f72pKmM54K =BHmq -----END PGP SIGNATURE-----
Current thread:
- Re: CVE Request: squid: Nonce replay vulnerability in Digest authentication cve-assign (Oct 11)
- Re: Re: CVE Request: squid: Nonce replay vulnerability in Digest authentication Amos Jeffries (Oct 12)