Re: Security Breach Alert - CVS Home File Download Area Compromised

[Mark D. Baushke]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Of possible interest...

When I got to the cvs-1.11.18-Darwin-7.7.0-powerpc.gz.sig link using
'w3m' (a text-based browser) it seems to have the wrong Content-Encoding
(of 'gzip') for the .sig files in the macosx directory.

This is likely what is confusing a number of browsers out there. I am
not sure of the right way to tell the CollabNet servlets to fix the
problem.

Folks should be able to use tools like 'wget' and 'curl' to fetch files
given the URLs. It may also be possible to tell your browser to NOT try
to do any decoding of the file on the fly, but I am not sure how easy
that is for things like IE.

        -- Mark

w3m output:

Information about current page

Title             cvs-1.11.18-Darwin-7.7.0-powerpc.gz.sig
Current URL       https://www.cvshome.org/files/documents/19/678/
                  cvs-1.11.18-Darwin-7.7.0-powerpc.gz.sig
Document Type     text/plain
Last Modified     Mon, 17 Jan 2005 20:08:27 GMT
Number of lines   2
Transferred bytes 35
                    ---------------------------------------

Header information

HTTP/1.1 200 OK
Date: Wed, 26 Jan 2005 22:26:18 GMT
Server: Apache/2.0.47 (Unix) mod_ssl/2.0.47 OpenSSL/0.9.6b DAV/2 mod_auth_mda/
2.0 mod_jk/1.2.0 SVN/0.23.0 mod_auth_svn/0.1
Last-Modified: Mon, 17 Jan 2005 20:08:27 GMT
ETag: "250148-42-f28104c0"
Accept-Ranges: bytes
Content-Length: 66
Connection: close
Content-Type: text/plain
Content-Encoding: gzip
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQFB+BpE3x41pRYZE/gRAtVqAJsGE5o0t+ENVeAOaqn110fdnL5CpACfQQjA
TAGLqa1ibGo8HJShwFJDDmQ=
=pT/l
-----END PGP SIGNATURE-----