Bug 1186768 (CVE-2014-9749)

Summary: CVE-2014-9749 squid: Nonce replay vulnerability in Digest authentication
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, henrik, jonathansteffan, jrusnack, mluscon, psimerda, thozza
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: squid 3.4, squid 3.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-07 05:43:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1186772, 1250308, 1269808, 1301685    
Bug Blocks: 1186769    

Description Vasyl Kaigorodov 2015-01-28 14:03:55 UTC 
Upstream fixed a security issue in digest_authentication [1] that can allow disabled user or users with changed password to access the squid service with old credentials.
Upstream patch for Squid 3.4: http://bazaar.launchpad.net/~squid/squid/3.4/revision/13211
Upstream patch for Squid 3.5: http://bazaar.launchpad.net/~squid/squid/3.5/revision/13735

[1]: http://bugs.squid-cache.org/show_bug.cgi?id=4066
Comment 1 Vasyl Kaigorodov 2015-01-28 14:08:05 UTC 
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1186772]