https://redmine.lighttpd.net/https://redmine.lighttpd.net/favicon.ico?13667327412016-06-15T18:15:00Zlighty labsLighttpd - Bug #1844: Serious security problem in Digest Authenticationhttps://redmine.lighttpd.net/issues/1844?journal_id=97252016-06-15T18:15:00Zgstrauss
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-8 priority-3 priority-lowest closed" href="/issues/806">Feature #806</a>: implementation of digest auth MD5-sess does not conform to rfc2617</i> added</li></ul> Lighttpd - Bug #1844: Serious security problem in Digest Authenticationhttps://redmine.lighttpd.net/issues/1844?journal_id=97272016-06-15T18:15:24Zgstrauss
<ul></ul><p>updated reference: <a class="external" href="https://redmine.lighttpd.net/boards/2/topics/231">https://redmine.lighttpd.net/boards/2/topics/231</a></p> Lighttpd - Bug #1844: Serious security problem in Digest Authenticationhttps://redmine.lighttpd.net/issues/1844?journal_id=97282016-06-16T05:32:30Zgstrauss
<ul><li><strong>Target version</strong> set to <i>1.4.41</i></li></ul> Lighttpd - Bug #1844: Serious security problem in Digest Authenticationhttps://redmine.lighttpd.net/issues/1844?journal_id=97302016-06-18T03:04:07Zgstrauss
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Patch Pending</i></li></ul><p>Pending patches reject URI mismatch and expire nonce after 10 mins, sending WWW-Authenticate: ... stale=true to client so that it will recreate a new digest using the included (new) nonce. These changes make lighttpd mod_auth Digest a better choice than Basic auth starting with lighttpd 1.4.41 (which has not yet been released at the time this is being written)</p>
<p>Excerpt from <a class="external" href="https://www.rfc-editor.org/rfc/rfc7616.txt">https://www.rfc-editor.org/rfc/rfc7616.txt</a> Section 5.13:</p>
<blockquote>
<p>The bottom line is that <strong>any</strong> compliant implementation will be<br />relatively weak by cryptographic standards, but <strong>any</strong> compliant<br />implementation will be far superior to Basic Authentication.</p>
</blockquote> Lighttpd - Bug #1844: Serious security problem in Digest Authenticationhttps://redmine.lighttpd.net/issues/1844?journal_id=102712016-07-17T04:05:06Zgstrauss
<ul><li><strong>Status</strong> changed from <i>Patch Pending</i> to <i>Fixed</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="[mod_auth] fix Digest auth to be better than Basic (fixes #1844) Make Digest authentication more..." href="https://redmine.lighttpd.net/projects/lighttpd/repository/14/revisions/00cc4d7c0ecd9be2c5f1cd6a5397b78f75830905">00cc4d7c0ecd9be2c5f1cd6a5397b78f75830905</a>.</p> Lighttpd - Bug #1844: Serious security problem in Digest Authenticationhttps://redmine.lighttpd.net/issues/1844?journal_id=118362019-08-22T13:52:28Zstbuehler
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-6 priority-4 priority-default closed" href="/issues/2974">Bug #2974</a>: HTTP digest authentication not compatible with some clients</i> added</li></ul>