On Fri, Dec 15, 2006 at 06:34:37PM +0100, Christian Boltz wrote:
> Am Mittwoch, 13. Dezember 2006 10:33 schrieb Javier Fernández-Sanguino
> Peña:
> > In order for your md5sum "attack" to really work you have to crack
> > *all* mirrors or the user has a ~1/38 chance on stumbling on the
> > package
Hello,
Am Mittwoch, 13. Dezember 2006 10:33 schrieb Javier Fernández-Sanguino
Peña:
> In order for your md5sum "attack" to really work you have to crack
> *all* mirrors or the user has a ~1/38 chance on stumbling on the
> package that has been replaced by a cracker. Not a very good attack
> IMHO.
On Tue, Dec 12, 2006 at 11:35:38PM +0100, Christian Boltz wrote:
> > ? That would generate HTML files that point to content that do no
> > exist in the any of the mirrors. The only way you can make those
> > file valids if you break into one of the mirrors, and if a mirror is
> > broken and you d
On Mon, Dec 11, 2006 at 10:11:34PM +0100, Christian Boltz wrote:
> > Not that I wouldn't want to see this fixed but, really, this is as
> > low risk as it can get. Through XSS no one could retrieve user
> > credentials and no one should be trusting (in this day an age) the
> > information from a we
Hello,
Am 11. Dezember 2006 18:51 schrieb Javier Fernández-Sanguino Peña:
> On Mon, Dec 11, 2006 at 04:57:30PM +0100, Christian Boltz wrote:
[please CC me in replies, I'm not subscribed]
> > it's easy to do some code injection in packages.debian.org:
>
> This is
On Mon, Dec 11, 2006 at 04:57:30PM +0100, Christian Boltz wrote:
> Hello,
>
> [please CC me in replies, I'm not subscribed]
>
> it's easy to do some code injection in packages.debian.org:
This is not code injection, it's cross site-scripting. Given that:
- pac
Hello,
[please CC me in replies, I'm not subscribed]
it's easy to do some code injection in packages.debian.org:
http://packages.debian.org/cgi-bin/download.pl?arch=i386&file=pool%2Fmain%2Fd%2Fdietlibc%2Fdietlibc_0.28-3_i386.deb&md5sum=not%20available%20because%20the%20
7 matches
Mail list logo
