After rolling out a -rHEAD at a site using digest - took them a while
to guess
the Seed thing below.
Dw
dyn-203:~/ASF/apache-1.3 dirkx$ cvs diff -u Announcement src/CHANGES
Enter passphrase for key '/Users/dirkx/.ssh/id_rsa':
Index: Announcement
===================================================================
RCS file: /home/cvs/apache-1.3/Announcement,v
retrieving revision 1.103
diff -u -r1.103 Announcement
--- Announcement 29 Apr 2004 20:48:22 -0000 1.103
+++ Announcement 30 Apr 2004 13:40:26 -0000
@@ -20,7 +20,8 @@
o CAN-2003-0987 (cve.mitre.org)
In mod_digest, verify whether the nonce returned in the client
response is one we issued ourselves. This problem does not
affect
- mod_auth_digest.
+ mod_auth_digest. If you are using Digest auth across multiple
+ servers; then do consult the AuthDigestRealmSeed directive.
o CAN-2003-0020 (cve.mitre.org)
Escape arbitrary data before writing into the errorlog.
Index: src/CHANGES
===================================================================
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1938
diff -u -r1.1938 CHANGES
--- src/CHANGES 29 Apr 2004 19:47:11 -0000 1.1938
+++ src/CHANGES 30 Apr 2004 13:40:33 -0000
@@ -3,8 +3,10 @@
*) SECURITY: CAN-2003-0987 (cve.mitre.org)
Verification as to whether the nonce returned in the client
response
is one we issued ourselves by means of a AuthDigestRealmSeed
secret
- exposed as an md5(). See mod_digest documentation for more
details.
- The experimental mod_auth_digest.c does not have this issue.
+ exposed as an md5(). See mod_digest documentation for more
details,
+ especially the AuthDigestRealmSeed if you are using digest
+ authentication across multiple servers. The experimental
+ mod_auth_digest.c does not have this issue.
[Dirk-Willem van Gulik, Jeff Trawick, Jim Jagielski]
