subversion-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Reser <>
Subject MD5 Collisions and Cached Authentcation (was: Improving gpg-agent support)
Date Fri, 06 Jun 2014 06:29:44 GMT
On 6/5/14, 6:16 PM, Bert Huijben wrote:
> Do we make sure that we only send the password to an exact match of the realm?
> Otherwise somebody might be able to theoretically steal passwords by using a
> special realm string on a completely different server.

Moving this to private.

Trunk has code to protect against that.  You wrote it in December:

Older versions don't.  We should probably fix that given that MD5 collisions
are possible to engineer.  See:

You'd have to convince someone's SVN client to connect to some other server
that you controlled, but that's not impossible with some social engineering.

I think we should treat the above changes as something that should be
backported to 1.7/1.8 as a security fix.

Any other opinions?

View raw message