On 7/31/14 2:27 PM, Ben Reser wrote:
> On 6/5/14 11:29 PM, Ben Reser wrote:
>> On 6/5/14, 6:16 PM, Bert Huijben wrote:
>>> Do we make sure that we only send the password to an exact match of the realm?
>>> Otherwise somebody might be able to theoretically steal passwords by using a
>>> special realm string on a completely different server.
>>
>> Moving this to private.
>>
>> Trunk has code to protect against that. You wrote it in December:
>> http://svn.apache.org/r1550691
>> http://svn.apache.org/r1550772
>>
>> Older versions don't. We should probably fix that given that MD5 collisions
>> are possible to engineer. See:
>> http://www.mscs.dal.ca/~selinger/md5collision/
>>
>> You'd have to convince someone's SVN client to connect to some other server
>> that you controlled, but that's not impossible with some social engineering.
>>
>> I think we should treat the above changes as something that should be
>> backported to 1.7/1.8 as a security fix.
>>
>> Any other opinions?
>
> security_at_apache.org folks can we get a CVE number for this?
This now is CVE-2014-3528 (thanks Mark).
FYI this is being handled in public because it's already been revealed in
public due to my past mistake with the "Moving this to private" email and the
fix has been public for a while.
Received on 2014-08-01 19:56:35 CEST