On May 26, 2015 10:31 AM, Dirk-Willem van Gulik di...@webweaving.org
wrote:
On 26 May 2015, at 17:22, Dirk-Willem van Gulik di...@webweaving.org
wrote:
..
So I think that what is needed are two (or three) functions
...
- A string comparison function; where at least one string is is
On 28 May 2015, at 17:03, William A Rowe Jr wr...@rowe-clan.net wrote:
On May 26, 2015 10:31 AM, Dirk-Willem van Gulik di...@webweaving.org
mailto:di...@webweaving.org wrote:
On 26 May 2015, at 17:22, Dirk-Willem van Gulik di...@webweaving.org
mailto:di...@webweaving.org wrote:
On 28 May 2015, at 17:24, Dirk-Willem van Gulik di...@webweaving.org wrote:
On 28 May 2015, at 17:03, William A Rowe Jr wr...@rowe-clan.net
mailto:wr...@rowe-clan.net wrote:
On May 26, 2015 10:31 AM, Dirk-Willem van Gulik di...@webweaving.org
mailto:di...@webweaving.org wrote:
Folks,
Did a scan through a fair bit of our code. mod_digest is not the only place;
e.g. in basic auth; we are also
not as careful in all cases as we could be.
So I think that what is needed are two (or three) functions
- A fairly mundane (binary) timing safe compare that compares two
On 26 May 2015, at 17:22, Dirk-Willem van Gulik di...@webweaving.org wrote:
..
So I think that what is needed are two (or three) functions
...
- A string comparison function; where at least one string is is under
control of the attacker.
Now the issue here is that length is every easily
Very quick and dirty list of the most obvious places where we compare stuff.
Currently trying to find some time to figure out if these are all vulnerable;
or if it is just the two outer ones.
Dw.
Index: modules/aaa/mod_auth_digest.c
Folks,
security@ got a notification of a potential side channel attack. The original
message is below (sans details on the poster who wants to remain private).
In short - we’re comparing the digest in mod-auth-digest in a manner that may
reveal how much is actually correct; leading potentially
