Two issues with the MySQL module and one with HTTP proxy are fixed:
Salts used in the MySQL handshake were not randomised (was also marked as TODO comment)
Sending a malformed string as the MySQL username would crash the server
The HTTP Proxy page was missing a new line at the end (compared to the original Squid server)
All of these issues allowed an attacker to identify the canary without triggering an alert.
Lastly, the test where the MySQL password was checked needed to be disabled. This would fail because the salts are now random, and the password is unpredictable.
Thanks so much for the bug fixes. These are totally great. Please email me at jay [at] thinkst [dot] com so that we can send you something to say thanks for contributing to our project
Two issues with the MySQL module and one with HTTP proxy are fixed:
All of these issues allowed an attacker to identify the canary without triggering an alert.
Lastly, the test where the MySQL password was checked needed to be disabled. This would fail because the salts are now random, and the password is unpredictable.