RE: Security Breach Alert - CVS Home File Download Area Compromised

[Conrad T. Pino]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mark,

> From: Mark D. Baushke
> 
> When I got to the cvs-1.11.18-Darwin-7.7.0-powerpc.gz.sig link using
> 'w3m' (a text-based browser) it seems to have the wrong Content-Encoding
> (of 'gzip') for the .sig files in the macosx directory.
> 
> This is likely what is confusing a number of browsers out there. I am
> not sure of the right way to tell the CollabNet servlets to fix the
> problem.

See prior message regarding Java servlet redirecting to file URL delivered
by Apache 2.0.47 server.

> Folks should be able to use tools like 'wget' and 'curl' to fetch files
> given the URLs.

Folks with tools like the above don't need binary files.  Such folks I
expect can compile the source for themselves.

> It may also be possible to tell your browser to NOT try
> to do any decoding of the file on the fly, but I am not sure how easy
> that is for things like IE.

I've been doing "right click" using "Save Target As..." option which
works correctly with "*.gz" files from Apache Jakarta where I tried
downloading Tomcat 4.1.31 with no problem.

Don't forget "*.tar.gz.sig", "*.tar.bz2.sig" and "*.zip.sig" files work
on CVS Home.  Can you check the difference between them & "*.gz.sig"?

Here's what Microsoft said about IE and MIME types:
http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp

>       -- Mark

Conrad

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBQfgj4rNM28ubzTo9EQKPEACghW72fratZvKpSYM0FvBE6gOzUrUAoJ2Y
gyrA0T5g6s1Qex1RKF8RAclG
=xTPU
-----END PGP SIGNATURE-----