Bug 1186768 (CVE-2014-9749) - CVE-2014-9749 squid: Nonce replay vulnerability in Digest authentication
Summary: CVE-2014-9749 squid: Nonce replay vulnerability in Digest authentication
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-9749
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1186772 1250308 1269808 1301685
Blocks: 1186769
TreeView+ depends on / blocked
 
Reported: 2015-01-28 14:03 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:27 UTC (History)
7 users (show)

Fixed In Version: squid 3.4, squid 3.5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-09-07 05:43:45 UTC


Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-01-28 14:03:55 UTC
Upstream fixed a security issue in digest_authentication [1] that can allow disabled user or users with changed password to access the squid service with old credentials.
Upstream patch for Squid 3.4: http://bazaar.launchpad.net/~squid/squid/3.4/revision/13211
Upstream patch for Squid 3.5: http://bazaar.launchpad.net/~squid/squid/3.5/revision/13735

[1]: http://bugs.squid-cache.org/show_bug.cgi?id=4066

Comment 1 Vasyl Kaigorodov 2015-01-28 14:08:05 UTC
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1186772]


Note You need to log in before you can comment on or make changes to this bug.