Package: ftp.debian.org Severity: normal I think it's time we dropped apache-mod-auth-ntlm-winbind.
It's been orphaned in Debian for just over 3 years (I was the last maintainer). It's not been updated upstream for many years. I can't easily check exactly when as the upstream SVN repo which actually had the latest version seems to have gone away, and their git mirror seems to be missing the 16 most recent commits, but the packaged source is more than 8 years old and the git mirror's most recent change is from 2007-11-08. There are problems with NTLM's design which mean it's just not secure enough especially given the computing power that's now easily available to an attacker. Wikipedia has a summary: https://en.wikipedia.org/wiki/NT_LAN_Manager#Weakness_and_Vulnerabilities HTTP Negotiate Auth offers a more secure replacement option, provided you're able to run it over https. But thanks to LE https certificates can be had for free now. I didn't request removal when I orphaned the package in case it was still useful to someone in particular circumstances, but that was just over 3 years ago and the likelihood of that will have decreased still further. Cheers, Olly
signature.asc
Description: PGP signature
