I just tried with a plain apache on xenial using digest authentication
and that worked. Could you elaborate a bit on your setup?
You have one apache acting as a reverse proxy, and the authentication is
done on the backend apache?
** Changed in: apache2 (Ubuntu)
Status: New => Incomplete
*
I'll check again tomorrow, and also let the secteam in on this bug
On Tue, Sep 4, 2018, 18:40 Andreas Hasenack
wrote:
> Are you sure you are in ubuntu 14.04.5? Trusty's latest apache2 is
> 2.4.7-1ubuntu4.20
>
> I assume you meant xenial, which does have 2.4.18-2ubuntu3.8 in security
> but has 3.
Are you sure you are in ubuntu 14.04.5? Trusty's latest apache2 is
2.4.7-1ubuntu4.20
I assume you meant xenial, which does have 2.4.18-2ubuntu3.8 in security
but has 3.9 in updates.
3.8 has security fixes around "nonce generation":
* SECURITY UPDATE: insecure nonce generation
- debian/patc
