154328 2006-11-07 00:50 0000 net-proxy/3proxy User DoS? 2006-11-28 17:31:27 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED INVALID http://www.security.nnov.ru/soft/3proxy/0.5.3a/Release.notes.txt jaervosz P2 normal --- 1 jaervosz@gentoo.org security@gentoo.org net-proxy@gentoo.org jaervosz@gentoo.org 2006-11-07 00:50:48 0000 Fixed: NTLM authentication doesn't work for NT-encoded passwords and may cause account blocking (reported by boris16 at tut.by) vorlon@gentoo.org 2006-11-09 06:02:42 0000 CC'ing net-proxy this does not really sound like a security issue, does it? mrness@gentoo.org 2006-11-09 06:37:08 0000 Created an attachment (id=101536) The only source file differences between 0.5.3 and 0.5.3a This patch contains the only source file differences between 0.5.3 and 0.5.3a. mrness@gentoo.org 2006-11-09 06:45:03 0000 I've bumped the version to 0.5.3a, but I don't understand the problem. In first case, 2 pointers are converted to unsigned, then substracted, then the result is casted to unsigned char. In second case, 2 pointers are converted to (unsigned char*), then substracted, then the result is casted to unsigned char. At first look, I don't see any difference between those 2 cases. Mike, can you explain it, please? vapier@gentoo.org 2006-11-09 15:54:50 0000 that change is what i requested the diff you should be reviewing is 0.5.2 to 0.5.3a mrness@gentoo.org 2006-11-10 07:02:17 0000 Doesn't look like a security issue to me. The only NTLM related change is in proxy.c file: "HTTP/1.0 407 Proxy Authentication Required\r\n" - "Proxy-Authenticate: basic realm=\"proxy\"\r\n" "Proxy-Authenticate: NTLM\r\n" + "Proxy-Authenticate: basic realm=\"proxy\"\r\n" "Proxy-Connection: close\r\n" jaervosz@gentoo.org 2006-11-20 22:40:04 0000 Alin/SpanKY any news on this one? Or is it INVALID? mrness@gentoo.org 2006-11-20 22:50:11 0000 I've looked over the diff between 0.5.2 and 0.5.3 and I didn't found a security security issue in it. Ask Mike if he has knowledge of such issue (he isn't member of net-proxy team so it doesn't receive this comment on email). jaervosz@gentoo.org 2006-11-20 23:56:39 0000 Thx Alin. SpanKY is on the security team, so he should be getting these as well. vapier@gentoo.org 2006-11-28 17:31:27 0000 not a security issue, thanks Alin for reviewing i tend to read security lists in bulk ;) 101536 2006-11-09 06:37 0000 The only source file differences between 0.5.3 and 0.5.3a ntlm.c.diff text/plain ZGlmZiAtTnJ1IDAuNS4zL3NyYy9udGxtLmMgMC41LjNhL3NyYy9udGxtLmMKLS0tIDAuNS4zL3Ny Yy9udGxtLmMJMjAwNi0wMy0xMCAyMToyNTo1MC4wMDAwMDAwMDAgKzAyMDAKKysrIDAuNS4zYS9z cmMvbnRsbS5jCTIwMDYtMTAtMTUgMTE6NDA6MDQuMDAwMDAwMDAwICswMzAwCkBAIC03NCw3ICs3 NCw4IEBACiAJbGVuID0gKHN0cmxlbihob3N0bmFtZSkgPDwgMSk7CiAJY2hhbC0+ZG9tX2xlblsw XSA9IGxlbjsKIAljaGFsLT5kb21fbWF4X2xlblswXSA9IGxlbjsKLQljaGFsLT5kb21fb2Zmc2V0 WzBdID0gICh1bnNpZ25lZCljaGFsLT5kYXRhIC0gKHVuc2lnbmVkKWNoYWw7CisJY2hhbC0+ZG9t X29mZnNldFswXSA9ICAodW5zaWduZWQgY2hhcikoKHVuc2lnbmVkIGNoYXIgKiljaGFsLT5kYXRh IC0gKHVuc2lnbmVkIGNoYXIgKiljaGFsKTsKKwogCWNoYWwtPmZsYWdzWzBdID0gMHgwMzsKIAlj aGFsLT5mbGFnc1sxXSA9IDB4ODI7CiAJY2hhbC0+ZmxhZ3NbMl0gPSAweDgxOwo=