Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <561BBE28.4010003@treenet.co.nz>
Date: Tue, 13 Oct 2015 03:05:28 +1300
From: Amos Jeffries <squid3@...enet.co.nz>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE Request: squid: Nonce replay vulnerability
 in Digest authentication

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/10/2015 7:04 a.m., cve-assign@...re.org wrote:
>> Upstream fixed a security issue in digest_authentication
> 
>> allow disabled user or users with changed password to access the 
>> squid service with old credentials.
> 
>> http://bazaar.launchpad.net/~squid/squid/3.4/revision/13211 
>> http://bazaar.launchpad.net/~squid/squid/3.5/revision/13735 
>> http://bugs.squid-cache.org/show_bug.cgi?id=4066
> 
> As far as we can tell, there is only one vulnerability -- it is 
> associated with 
> http://bugs.squid-cache.org/show_bug.cgi?id=4066#c3
> 
> Use CVE-2014-9749.
> 
> We aren't currently providing any statement about the affected 
> versions for this vulnerability. It is possible that 
> http://bugs.squid-cache.org/show_bug.cgi?id=4066#c7 implies that 
> 3.5.x wasn't ever vulnerable, but that the 3.5.x code was replaced
>  anyway because it had used too slow of an approach to preventing 
> the vulnerability.
> 
> 

3.5 had the same issue before patching. But additional
fix was required for a secondary bug found once the main issue was
patched.

The released versions I am currently aware of having this issue are:
 3.4.4 -> 3.4.11 inclusive
 3.5.0.1 -> 3.5.1 inclusive

versions older than 3.4.4 have not been investigated yet to my knowledge
.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJWG74oAAoJEGvSOzfXE+nL8UkP/2OTwe7gan2vyikTgEitEXaV
sNK6ardED+2cEoyeg0+bQMuOyNzRezH19KSTUpkWQhufABbgOoYvj0oGRAofCWeL
uQNs1TWNuZsV9kyaZxtV/O7wvmP3RijxRBE9SFb8wNGF5I7lZltTaP18SCRFgV3j
WX5rAhJ+HVbt78dAcwZ75rW/maThk3Q7371cMpLNbrj8pGS5FRb088fmViJpJb2i
7lqbi2Q1yt4C9LLrWL82Ran692U2KJThTIHFvpS44cfdBsjeXfmUPVnpFYcb9KrK
Jow+xTvE+CFpHEDxwCZ813FDs/fXDihk1do3frEsKAJeVspcrkHAJu2nIG1sEsot
tvOVG/4tL1yeblLthHiwxu2ooobvXo8FAhlzwHdPfdhpwLGMQeSZ9V27BVTnq5XN
YpgXBGw60GxjNC2+OBl5zoNu04YykbSXpVLm7UgI3oiQaNcihpWw5SKZ26Ek6CX2
iWnskSYr+sfA1tw2wCAFb8lWRwJg3FlRFUe3oz9mu5jHXhUBE3yhNBKW0QG1gmaZ
GijAuTIgZo9BCeZFzgXDqIEbbWTP5p4o6FeavDPHVBl2po0Pi0yyWEP4temv4IeX
VK4A2jFkh3N9etY1GHuR3lJjevdiSP6M94KIlgzMhYZ2HwH9Mn99fUyXrhX5RMNF
V1UCNUYmRHWVPtYtCtW9
=tjwj
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.