To deal with this in geronimo, I think the 2.1.x can just use the updated tomcat code, but for 2.2.x and trunk we've copied the digest auth code into a jaspi like authenticator that will need to be updated. While I could do this it might be better if someone else became more familiar with the code. Any volunteers?
thanks david jencks Begin forwarded message: > From: Mark Thomas <[email protected]> > Date: September 26, 2011 4:08:30 AM PDT > To: Tomcat Users List <[email protected]> > Cc: Tomcat Developers List <[email protected]>, Tomcat Announce List > <[email protected]>, [email protected], > [email protected], [email protected] > Subject: [SECURITY] CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP > DIGEST authentication > Reply-To: "Tomcat Developers List" <[email protected]> > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP DIGEST > authentication > > Severity: Moderate > > Vendor: The Apache Software Foundation > > Versions Affected: > - - Tomcat 7.0.0 to 7.0.11 > - - Tomcat 6.0.0 to 6.0.32 > - - Tomcat 5.5.0 to 5.5.33 > - - Earlier, unsupported versions may also be affected > > Description: > The implementation of HTTP DIGEST authentication was discovered to > have several weaknesses: > - - replay attacks were permitted > - - server nonces were not checked > - - client nonce counts were not checked > - - qop values were not checked > - - realm values were not checked > - - the server secret was hard-coded to a known string > The result of these weaknesses is that DIGEST authentication was only > as secure as BASIC authentication. > > Mitigation: > Users of Tomcat 7.0.x should upgrade to 7.0.12 or later > Users of Tomcat 6.0.x should upgrade to 6.0.33 or later > Users of Tomcat 5.5.x should upgrade to 5.5.34 or later > > Credit: > This issue was identified by the Apache Tomcat security team > > References: > http://tomcat.apache.org/security.html > http://tomcat.apache.org/security-7.html > http://tomcat.apache.org/security-6.html > http://tomcat.apache.org/security-5.html > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQIcBAEBAgAGBQJOgF0tAAoJEBDAHFovYFnnv70QALdoVwivDt9bXBEpMgjJ0/NY > kadCFsA/X+O8TEKTRx/85B54Spgv8dGJFiPMettdbfjFuq7ADsRiAbxsZQ3dEIfJ > esrWfPJRTpXhjKU1OOLmoDvoueAD0pD7/qvl8o9bFowxGXLWqvO/elFe+4AH2YjZ > ux9tWOlWn46Q7ffaNOzRebjPVIQ3ebB+FH9ToZAdNfFFIZbtxYRMV02wRfHWq+fU > kTJ+hKF0XOpzyIut3zkmE00ZuvGAPLdnZcMKq9m/X/dt/niP2nT8H28Xx1Zu8sW+ > CUE7CRse4pI6fGuXVrOAk1akyN/hkiSPxDNsDnHxALTNmjr1Z+DAs7QT5IKc3EDv > NeSXAnxKfIJ83jcjam1bEf38UN1uYatP/u6XJCVpnOr0UjJ9wtO+QgSV/93eiyD7 > YCpVcmKay/jvWmLPp7MRB+h6FGhJNw5OA5k7IWJePBXC39p6tpac3vsOKx1OGU38 > QKUglIro/TtZo7gmfeG8lD3lI493l25+3E/vBiSrbfSHua3bmyFQikQMhy2ZPYIt > 4wEfdaW4hUBJHpxkDaotuTTN8ATzQLtDNTGei2u76ZXQiOjTLUDGam++6fR+kfZU > gloAy8ZIS702hoXg/ypFPtcyIx435dOgxtGIbOedmDUsy1ErGTCAksrOyn2yZl3v > +Ew0bAULNmXwKQeMyDj0 > =u/Ai > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] >
