On 6/5/14 11:29 PM, Ben Reser wrote: > On 6/5/14, 6:16 PM, Bert Huijben wrote: >> Do we make sure that we only send the password to an exact match of the >> realm? >> Otherwise somebody might be able to theoretically steal passwords by using a >> special realm string on a completely different server. > > Moving this to private. > > Trunk has code to protect against that. You wrote it in December: > http://svn.apache.org/r1550691 > http://svn.apache.org/r1550772 > > Older versions don't. We should probably fix that given that MD5 collisions > are possible to engineer. See: > http://www.mscs.dal.ca/~selinger/md5collision/ > > You'd have to convince someone's SVN client to connect to some other server > that you controlled, but that's not impossible with some social engineering. > > I think we should treat the above changes as something that should be > backported to 1.7/1.8 as a security fix. > > Any other opinions?
secur...@apache.org folks can we get a CVE number for this?
