httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r1775361 - /httpd/site/trunk/content/security/vulnerabilities-httpd.xml
Date Tue, 20 Dec 2016 23:42:40 GMT
Author: ylavic
Date: Tue Dec 20 23:42:40 2016
New Revision: 1775361

Improve description for CVE-2016-0736.


Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml
--- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Tue Dec 20 23:42:40 2016
@@ -189,9 +189,12 @@ We would like to thank Maksim Malyutin f
 <severity level="4">low</severity>
 <title>Padding Oracle in Apache mod_session_crypto</title>
-  Authenticate the session data/cookie presented to mod_session_crypto
-  with a MAC (SipHash) to prevent deciphering or tampering with a padding
-  oracle attack.
+  Prior to Apache HTTP release 2.4.25, mod_sessioncrypto was encrypting its
+  data/cookie using the configured ciphers with possibly either CBC or ECB
+  modes of operation (AES256-CBC by default), hence no selectable or builtin
+  authenticated encryption.
+  This made it vulnerable to padding oracle attacks, particularly with CBC.
+  An authententication tag (SipHash MAC) is now added to prevent such attacks.
 We would like to thank Alexander Neumann of RedTeam Pentesting for reporting 

View raw message