oss-sec mailing list archives

Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials

From: Matthias Gerstner <mgerstner () suse de>
Date: Thu, 25 Jan 2024 11:33:33 +0100

On Tue, Jan 23, 2024 at 11:39:19AM +0100, Matthias Gerstner wrote:

I requested CVEs from Mitre for the two issues found during this
review. They have not been assigned yet, though. I will give an update
once I know them.


Mitre assigned the CVEs by now as follows:

Basic Auth Timing Attack
========================


CVE-2024-23771

Local Leak of Authentication Parameter in Process List
======================================================


CVE-2024-23770

Cheers

Matthias

Attachment: signature.asc
Description:

Current thread:

darkhttpd: timing attack and local leak of HTTP basic auth credentials Matthias Gerstner (Jan 23)
- Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials Hanno Böck (Jan 23)
  - Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials Johannes Segitz (Jan 24)
    - Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials nightmare . yeah27 (Jan 24)
    - Re: Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials Anton Luka Šijanec (Jan 24)
  - systemd and other system services (in)compatibility with Linux procfs hidepid (was: darkhttpd: timing attack and local leak of HTTP basic auth credentials) Solar Designer (Feb 02)
    - Re: systemd and other system services (in)compatibility with Linux procfs hidepid (was: darkhttpd: timing attack and local leak of HTTP basic auth credentials) Matthias Gerstner (Feb 05)
- Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials Matthias Gerstner (Jan 25)