[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] keyserver stats gathering
|
From: |
Kristian Fiskerstrand |
|
Subject: |
Re: [Sks-devel] keyserver stats gathering |
|
Date: |
Wed, 24 Feb 2016 10:42:40 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 |
On 02/24/2016 10:19 AM, Mire, John wrote:
>
> The gossip, queries and stats traffic is not a problem, according
> to Security, what they were questioning me about was the queries to
> the server flagging CVE-2014-3207 as a concern. I had to look up
> this vuln and couldn't answer their questions. I know I'm running
> >= 1.1.5 so I don't have to worry. So if there are scripts being
> run against the server that should be whitelisted, it's not
> documented anywhere they could find, including the wiki and the
> associated links for source.
Heh,
Yeah, that'd be one of mine. SKS 1.1.5 is not affected, but there
possible server mitigations for lower versions so simple test is made:
https://git.sumptuouscapital.com/?p=sks-keyservers-pool.git;a=blob;f=sks-keyservers.net/status-srv/test_cve-2014-3207.sh;h=a4a959e67461cf2d68c23ed5a5dd161d693d87eb;hb=HEAD
--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP key at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Aquila non capit muscas
The eagle does not hunt flies
signature.asc
Description: OpenPGP digital signature