I will take a look at it later, just have some other issues on hand now. 2011/9/27 David Jencks <[email protected]>
> To deal with this in geronimo, I think the 2.1.x can just use the updated > tomcat code, but for 2.2.x and trunk we've copied the digest auth code into > a jaspi like authenticator that will need to be updated. While I could do > this it might be better if someone else became more familiar with the code. > Any volunteers? > > thanks > david jencks > > > Begin forwarded message: > > *From: *Mark Thomas <[email protected]> > *Date: *September 26, 2011 4:08:30 AM PDT > *To: *Tomcat Users List <[email protected]> > *Cc: *Tomcat Developers List <[email protected]>, Tomcat Announce List > <[email protected]>, [email protected], > [email protected], [email protected] > *Subject: **[SECURITY] CVE-2011-1184 Apache Tomcat - Multiple weaknesses > in HTTP DIGEST authentication* > *Reply-To: *"Tomcat Developers List" <[email protected]> > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP DIGEST > authentication > > Severity: Moderate > > Vendor: The Apache Software Foundation > > Versions Affected: > - - Tomcat 7.0.0 to 7.0.11 > - - Tomcat 6.0.0 to 6.0.32 > - - Tomcat 5.5.0 to 5.5.33 > - - Earlier, unsupported versions may also be affected > > Description: > The implementation of HTTP DIGEST authentication was discovered to > have several weaknesses: > - - replay attacks were permitted > - - server nonces were not checked > - - client nonce counts were not checked > - - qop values were not checked > - - realm values were not checked > - - the server secret was hard-coded to a known string > The result of these weaknesses is that DIGEST authentication was only > as secure as BASIC authentication. > > Mitigation: > Users of Tomcat 7.0.x should upgrade to 7.0.12 or later > Users of Tomcat 6.0.x should upgrade to 6.0.33 or later > Users of Tomcat 5.5.x should upgrade to 5.5.34 or later > > Credit: > This issue was identified by the Apache Tomcat security team > > References: > http://tomcat.apache.org/security.html > http://tomcat.apache.org/security-7.html > http://tomcat.apache.org/security-6.html > http://tomcat.apache.org/security-5.html > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQIcBAEBAgAGBQJOgF0tAAoJEBDAHFovYFnnv70QALdoVwivDt9bXBEpMgjJ0/NY > kadCFsA/X+O8TEKTRx/85B54Spgv8dGJFiPMettdbfjFuq7ADsRiAbxsZQ3dEIfJ > esrWfPJRTpXhjKU1OOLmoDvoueAD0pD7/qvl8o9bFowxGXLWqvO/elFe+4AH2YjZ > ux9tWOlWn46Q7ffaNOzRebjPVIQ3ebB+FH9ToZAdNfFFIZbtxYRMV02wRfHWq+fU > kTJ+hKF0XOpzyIut3zkmE00ZuvGAPLdnZcMKq9m/X/dt/niP2nT8H28Xx1Zu8sW+ > CUE7CRse4pI6fGuXVrOAk1akyN/hkiSPxDNsDnHxALTNmjr1Z+DAs7QT5IKc3EDv > NeSXAnxKfIJ83jcjam1bEf38UN1uYatP/u6XJCVpnOr0UjJ9wtO+QgSV/93eiyD7 > YCpVcmKay/jvWmLPp7MRB+h6FGhJNw5OA5k7IWJePBXC39p6tpac3vsOKx1OGU38 > QKUglIro/TtZo7gmfeG8lD3lI493l25+3E/vBiSrbfSHua3bmyFQikQMhy2ZPYIt > 4wEfdaW4hUBJHpxkDaotuTTN8ATzQLtDNTGei2u76ZXQiOjTLUDGam++6fR+kfZU > gloAy8ZIS702hoXg/ypFPtcyIx435dOgxtGIbOedmDUsy1ErGTCAksrOyn2yZl3v > +Ew0bAULNmXwKQeMyDj0 > =u/Ai > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > > -- Ivan
