Bug 154328 - net-proxy/3proxy User DoS?
|
Bug#:
154328
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: INVALID
|
Assigned To: security@gentoo.org
|
Reported By: jaervosz@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://www.security.nnov.ru/soft/3proxy/0.5.3a/Release.notes.txt
|
|
Summary: net-proxy/3proxy User DoS?
|
|
Keywords:
|
|
Status Whiteboard: jaervosz
|
|
Opened: 2006-11-07 00:50 0000
|
Fixed: NTLM authentication doesn't work for NT-encoded passwords and may
cause account blocking (reported by boris16 at tut.by)
CC'ing net-proxy
this does not really sound like a security issue, does it?
I've bumped the version to 0.5.3a, but I don't understand the problem.
In first case, 2 pointers are converted to unsigned, then substracted, then the
result is casted to unsigned char.
In second case, 2 pointers are converted to (unsigned char*), then substracted,
then the result is casted to unsigned char.
At first look, I don't see any difference between those 2 cases.
Mike, can you explain it, please?
that change is what i requested
the diff you should be reviewing is 0.5.2 to 0.5.3a
Doesn't look like a security issue to me. The only NTLM related change is in
proxy.c file:
"HTTP/1.0 407 Proxy Authentication Required\r\n"
- "Proxy-Authenticate: basic realm=\"proxy\"\r\n"
"Proxy-Authenticate: NTLM\r\n"
+ "Proxy-Authenticate: basic realm=\"proxy\"\r\n"
"Proxy-Connection: close\r\n"
Alin/SpanKY any news on this one? Or is it INVALID?
I've looked over the diff between 0.5.2 and 0.5.3 and I didn't found a security
security issue in it. Ask Mike if he has knowledge of such issue (he isn't
member of net-proxy team so it doesn't receive this comment on email).
Thx Alin. SpanKY is on the security team, so he should be getting these as
well.
not a security issue, thanks Alin for reviewing
i tend to read security lists in bulk ;)
