Vous êtes ici :
Squid - and Digest Authentication -
Frédéric Bourgeois Rennes
Bug Hunter's Diary:
I'm happy to announce that this release fixes several critical bugs about Digest authentication.
Well, I can go cure my headache now ...
* Regression Bug #4176: Digest auth too many helper lookups Squid 3.5.2
It was found that the Digest authentication helper was being called to validate credentials on every client request regardless of an appropriate TTL or nonce re-use counter being available.
This release decreases CPU usage and improves latency of client traffic on all installations using Digest authentication.
* Bug #4066: Digest auth nonce indefinite rollover Squid 3.4.12/3.5.2
This bug prevented the backend authentication system being contacted to re-verify user credentials after their TTL has expired. Making it near impossible to kick off an active user by closing their account or changing password.
Please note that while this does have a security impact it is NOT being considerd for an advisory with CVE rating since the user has to properly authenticate before they can abuse this.
A big Thank You to Frederic Bourgeois for tracking this one down.
From: Amos Jeffries [squid-announce]
All users of Squid are encouraged to upgrade to this release as soon as
possible.
Ecrit par FredB le 25/02/2015 @ 10:39
Squid - and Digest Authentication -
I'm happy to announce that this release fixes several critical bugs about Digest authentication.
Well, I can go cure my headache now ...
* Regression Bug #4176: Digest auth too many helper lookups Squid 3.5.2
It was found that the Digest authentication helper was being called to validate credentials on every client request regardless of an appropriate TTL or nonce re-use counter being available.
This release decreases CPU usage and improves latency of client traffic on all installations using Digest authentication.
* Bug #4066: Digest auth nonce indefinite rollover Squid 3.4.12/3.5.2
This bug prevented the backend authentication system being contacted to re-verify user credentials after their TTL has expired. Making it near impossible to kick off an active user by closing their account or changing password.
Please note that while this does have a security impact it is NOT being considerd for an advisory with CVE rating since the user has to properly authenticate before they can abuse this.
A big Thank You to Frederic Bourgeois for tracking this one down.
From: Amos Jeffries [squid-announce]
All users of Squid are encouraged to upgrade to this release as soon as
possible.
Ecrit par FredB le 25/02/2015 @ 10:39