> Please provide a demonstration attack that would force users into
> downloading, and wrongly checking, a malicious package. The only way that can
> happen is if a mirror is already compromised, and that's why whe have
> per-signature GPG releases for the archive [1].
Verification of signatures i
On Mon, Dec 11, 2006 at 09:42:35PM +0100, Stefan Scheler wrote:
> > Fixed and uploaded, see #402631.
>
> Erm, do you this is a good fix? You're only checking the length!
Please provide a demonstration attack that would force users into
downloading, and wrongly checking, a malicious package. The o
> Fixed and uploaded, see #402631.
Erm, do you this is a good fix? You're only checking the length!
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Mon, Dec 11, 2006 at 08:17:11PM +0100, Bernhard R. Link wrote:
> I was just made aware, that
> http://packages.debian.org/cgi-bin/download.pl
> is very liberate in putting arbitrary stuff in the website,
> try for example:
>
> http://packages.debian.org/cgi-bin/download.pl?arch=i386&file=";> h
4 matches
Mail list logo
