[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: MD5 Collisions and Cached Authentcation

From: Ben Reser <ben_at_reser.org>
Date: Thu, 31 Jul 2014 14:27:03 -0700

On 6/5/14 11:29 PM, Ben Reser wrote:
> On 6/5/14, 6:16 PM, Bert Huijben wrote:
>> Do we make sure that we only send the password to an exact match of the realm?
>> Otherwise somebody might be able to theoretically steal passwords by using a
>> special realm string on a completely different server.
>
> Moving this to private.
>
> Trunk has code to protect against that. You wrote it in December:
> http://svn.apache.org/r1550691
> http://svn.apache.org/r1550772
>
> Older versions don't. We should probably fix that given that MD5 collisions
> are possible to engineer. See:
> http://www.mscs.dal.ca/~selinger/md5collision/
>
> You'd have to convince someone's SVN client to connect to some other server
> that you controlled, but that's not impossible with some social engineering.
>
> I think we should treat the above changes as something that should be
> backported to 1.7/1.8 as a security fix.
>
> Any other opinions?

security_at_apache.org folks can we get a CVE number for this?
Received on 2014-07-31 23:27:38 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.