1.. Name of organization: Information Security Laboratory, National Sun
Yat-Sen University, Taiwan.
2.. Organization type: educational
3.. Home page link: http://isl.cse.nsysu.edu.tw
4.. A paragraph or two describing how your organization uses Debian:
The system is used as email, file, and
> Please provide a demonstration attack that would force users into
> downloading, and wrongly checking, a malicious package. The only way that can
> happen is if a mirror is already compromised, and that's why whe have
> per-signature GPG releases for the archive [1].
Verification of signatures i
Your passion will guide your research and work within the group at a
unique level.
The smart advertising agencies do it.
B: Even if you have the greatest product in the world, you will never
sell anything if you don't tell people about it. In many states, you pay
a registration fee to the county
On Mon, Dec 11, 2006 at 09:42:35PM +0100, Stefan Scheler wrote:
> > Fixed and uploaded, see #402631.
>
> Erm, do you this is a good fix? You're only checking the length!
Please provide a demonstration attack that would force users into
downloading, and wrongly checking, a malicious package. The o
On Mon, Dec 11, 2006 at 10:11:34PM +0100, Christian Boltz wrote:
> > Not that I wouldn't want to see this fixed but, really, this is as
> > low risk as it can get. Through XSS no one could retrieve user
> > credentials and no one should be trusting (in this day an age) the
> > information from a we
Hello,
Am 11. Dezember 2006 18:51 schrieb Javier Fernández-Sanguino Peña:
> On Mon, Dec 11, 2006 at 04:57:30PM +0100, Christian Boltz wrote:
[please CC me in replies, I'm not subscribed]
> > it's easy to do some code injection in packages.debian.org:
>
> This is not code injection, it's cross
Hi all on list.
As mentioned on the http://www.debian.org/users/ page, I'm emailing my
submission. I hope you may be able to consider my company for listing
as Debian users. To answer your questions:
1 - Name of organisation: David and Joe Ltd, Scotland
2 - Org type: commercial
3 - Home page: ht
> Fixed and uploaded, see #402631.
Erm, do you this is a good fix? You're only checking the length!
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Mon, Dec 11, 2006 at 08:17:11PM +0100, Bernhard R. Link wrote:
> I was just made aware, that
> http://packages.debian.org/cgi-bin/download.pl
> is very liberate in putting arbitrary stuff in the website,
> try for example:
>
> http://packages.debian.org/cgi-bin/download.pl?arch=i386&file=";> h
I was just made aware, that
http://packages.debian.org/cgi-bin/download.pl
is very liberate in putting arbitrary stuff in the website,
try for example:
http://packages.debian.org/cgi-bin/download.pl?arch=i386&file=";>
Your message dated Mon, 11 Dec 2006 20:27:26 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Committed
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen
On Mon, Dec 11, 2006 at 06:51:34PM +0100, Javier Fernández-Sanguino Peña wrote:
> This is not code injection, it's cross site-scripting. Given that:
>
> - packages.debian.org does not have any kind of client authentication
> - packages.debian.org does not use SSL certificate
>
> this is as much a
Package: www.debian.org
Version: N/A; reported 2006/12/11
Severity: minor
Tags: security
Christian Boltz reported in the debian-www mailing list [1] that the
download.pl CGI used in packages.debian.org is vulnerable to XSS attacks.
This seems to have been "discovered" by fefe [2]
I don't believe
On Mon, Dec 11, 2006 at 04:57:30PM +0100, Christian Boltz wrote:
> Hello,
>
> [please CC me in replies, I'm not subscribed]
>
> it's easy to do some code injection in packages.debian.org:
This is not code injection, it's cross site-scripting. Given that:
- packages.debian.org does not have
Please update my vendor record (URL of web page with info about Debian CDs has
changed):
Vendor Name: Elaborazione Dati Pinerolo srl
URL of Vendor: http://www.pixel.it
Whether or not you donate some of the sale to Debian: no
Type of CDs sold: official stable, weekly snapshot of testing
Country y
Hello,
[please CC me in replies, I'm not subscribed]
it's easy to do some code injection in packages.debian.org:
http://packages.debian.org/cgi-bin/download.pl?arch=i386&file=pool%2Fmain%2Fd%2Fdietlibc%2Fdietlibc_0.28-3_i386.deb&md5sum=not%20available%20because%20the%20site%20is%20hacked&arc
16 matches
Mail list logo
