Hi Julien, * Julien BLACHE <[EMAIL PROTECTED]> [2007-10-17 20:13]: > Daniel-Constantin Mierla <[EMAIL PROTECTED]> wrote: [...] > > The solution of letting the check in config file is to give more > > liberty in performing it. Imagine that the proxies are behind a load > > balancer, and the R-URI is changed by the LB, in that case all auth > > will fail. The admin can add the initial R-URI in a special header at > > LB and in the proxy compare that value with the digest URI. Embedding > > this check in auth modules seemed too rigid. > > Indeed. > > I think someone's been a bit too trigger-happy with the CVE > assignment. I'll upload packages patched with SVN rev 2852 if the > security team feels it's necessary, otherwise I'm perfectly happy with > just closing that bug report.
This was marked as a security flaw with low impact in the security tracker by me. So this is no "please upload as fast as possible" bug but I think the patch won't hurt. Kind regards Nico -- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpLOfWCPu1bl.pgp
Description: PGP signature
