httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject [patch] minor claification digest
Date Fri, 30 Apr 2004 13:41:37 GMT
After rolling out a -rHEAD at a site using digest - took them a while 
to guess
the Seed thing below.

Dw


dyn-203:~/ASF/apache-1.3 dirkx$ cvs diff -u Announcement src/CHANGES
Enter passphrase for key '/Users/dirkx/.ssh/id_rsa':
Index: Announcement
===================================================================
RCS file: /home/cvs/apache-1.3/Announcement,v
retrieving revision 1.103
diff -u -r1.103 Announcement
--- Announcement        29 Apr 2004 20:48:22 -0000      1.103
+++ Announcement        30 Apr 2004 13:40:26 -0000
@@ -20,7 +20,8 @@
       o CAN-2003-0987 (cve.mitre.org)
         In mod_digest, verify whether the nonce returned in the client
         response is one we issued ourselves.  This problem does not 
affect
-       mod_auth_digest.
+       mod_auth_digest. If you are using Digest auth across multiple
+       servers; then do consult the AuthDigestRealmSeed directive.

       o CAN-2003-0020 (cve.mitre.org)
         Escape arbitrary data before writing into the errorlog.
Index: src/CHANGES
===================================================================
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1938
diff -u -r1.1938 CHANGES
--- src/CHANGES 29 Apr 2004 19:47:11 -0000      1.1938
+++ src/CHANGES 30 Apr 2004 13:40:33 -0000
@@ -3,8 +3,10 @@
    *) SECURITY: CAN-2003-0987 (cve.mitre.org)
       Verification as to whether the nonce returned in the client 
response
       is one we issued ourselves by means of a AuthDigestRealmSeed 
secret
-     exposed as an md5(). See mod_digest documentation for more 
details.
-     The experimental mod_auth_digest.c does not have this issue.
+     exposed as an md5(). See mod_digest documentation for more 
details,
+     especially the AuthDigestRealmSeed if you are using digest
+     authentication across multiple servers. The experimental
+     mod_auth_digest.c does not have this issue.
       [Dirk-Willem van Gulik, Jeff Trawick, Jim Jagielski]
  


Mime
View raw message