[mod_cluster-issues] [JBoss JIRA] (MODCLUSTER-338) Advertise adds a message digest even if security key is not configured
Radoslav Husar (JIRA)
issues at jboss.org
Thu Jan 23 14:08:28 EST 2014
[ https://issues.jboss.org/browse/MODCLUSTER-338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Radoslav Husar updated MODCLUSTER-338:
--------------------------------------
Status: Pull Request Sent (was: Reopened)
Git Pull Request: https://github.com/modcluster/mod_cluster/pull/58, https://github.com/modcluster/mod_cluster/pull/18 (was: https://github.com/modcluster/mod_cluster/pull/18)
Reopening -- not good for backward compatibility of 1.2.x native to 1.3.x Java (i.e. security key would have to be configured).
Fix via https://github.com/modcluster/mod_cluster/pull/58
> Advertise adds a message digest even if security key is not configured
> ----------------------------------------------------------------------
>
> Key: MODCLUSTER-338
> URL: https://issues.jboss.org/browse/MODCLUSTER-338
> Project: mod_cluster
> Issue Type: Bug
> Affects Versions: 1.2.4.Final
> Reporter: Radoslav Husar
> Assignee: Radoslav Husar
> Fix For: 1.3.0.Alpha1
>
>
> As wireshark hints, the message digest is always included in the message even if the advertise security key is not configured.
> This would not be such a problem if the salt actually used wouldn't be random bits from the memory.
> This renders the digest completely useless since it can never be verified.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the mod_cluster-issues
mailing list