Thanks Emilio and Salvatore for very valuable comments!
I think then, that it would be more proper way to upload the lower
upstream version 3.20181128.1 into the Jessie and Stretch to escape
higher versions on older releases.
This 3.20181128.1 version also fixes CVE-2017-5715 and is now the
curre
Ola Lundqvist writes:
> I have ideas on how we can reduce the attack possibilities but I cannot
> find any perfect solution to this.
What about setting samesite=Lax in the session Cookie? This should solve
all problems for POST requests. Are there any vulnerable GET requests?
Additionally this i
The comment about that one is safe for anyone to have and the private
cannot be leaked is really strange. It is trivial to generate the private
one, just as you write.
// Ola
On Tue, 10 Mar 2020 at 07:38, Brian May wrote:
> Ola Lundqvist writes:
>
> > I think the attacker needs to be very clos
Hi
I do not see how SameSite attribute would help in this case. Or how do you
mean that it would protect against this?
// Ola
On Thu, 12 Mar 2020 at 22:02, Brian May wrote:
> Ola Lundqvist writes:
>
> > I have ideas on how we can reduce the attack possibilities but I cannot
> > find any perfe
