Frédéric Bourgeois Rennes
Squid - and Digest Authentication -
Bug Hunter's Diary:
I'm happy to announce that this release fixes several critical bugs about Digest authentication.
Well, I can go cure my headache now ...
* Regression Bug #4176: Digest auth too many helper lookups Squid 3.5.2
It was found that the Digest authentication helper was being called to
validate credentials on every client request regardless of an
appropriate TTL or nonce re-use counter being available.
This release decreases CPU usage and improves latency of client
traffic on all installations using Digest authentication.
* Bug #4066: Digest auth nonce indefinite rollover Squid 3.4.12/3.5.2
This bug prevented the backend authentication system being contacted
to re-verify user credentials after their TTL has expired. Making it
near impossible to kick off an active user by closing their account or
changing password.
Please note that while this does have a security impact it is NOT
being considerd for an advisory with CVE rating since the user has to
properly authenticate before they can abuse this.
A big Thank You to Frederic Bourgeois for tracking this one down.
From: Amos Jeffries [squid-announce]
All users of Squid are encouraged to upgrade to this release as soon as
possible.
Ecrit par
FredB le 25/02/2015 @ 10:39
Ajouter un commentaire