Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1560634 - (CVE-2018-1312) CVE-2018-1312 httpd: Weak Digest auth nonce generation in mod_auth_digest
CVE-2018-1312 httpd: Weak Digest auth nonce generation in mod_auth_digest
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20180321,reported=2...
: Security
Depends On: 1560636 1566317 1566318 1566319 1560635
Blocks: 1560402
  Show dependency treegraph
 
Reported: 2018-03-26 11:41 EDT by Pedro Sampaio
Modified: 2018-10-25 13:28 EDT (History)
33 users (show)

See Also:
Fixed In Version: httpd 2.4.30
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Pedro Sampaio 2018-03-26 11:41:26 EDT 
When generating an HTTP Digest authentication challenge, the nonce
sent to prevent reply attacks was not correctly generated using a
pseudo-random seed.  In a cluster of servers using a common Digest
authentication configuration, HTTP requests could be replayed across
servers by an attacker without detection.

Versions Affected:
httpd 2.2.0 to 2.4.29

External references:

https://httpd.apache.org/security/vulnerabilities_24.html
Comment 1 Pedro Sampaio 2018-03-26 11:42:01 EDT 
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1560635]
Comment 5 Huzaifa S. Sidhpurwala 2018-04-12 00:05:19 EDT 
Upstream patchset: 
https://svn.apache.org/viewvc?view=revision&revision=1824481

Upstream bug:
https://bz.apache.org/bugzilla/show_bug.cgi?id=54637
Comment 7 Huzaifa S. Sidhpurwala 2018-06-22 00:43:50 EDT 
Statement:

The "AuthType Digest" directive is not enabled in the default httpd configuration as shipped with Red Hat Enterprise Linux, and needs to be explicitly enabled. Therefore this flaw has no impact on the default versions of the httpd package as shipped with Red Hat Enterprise Linux. Also upstream discourages the use of mod_auth_digest because of its inherent security weaknesses and recommends the use of mod_ssl.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.