Re: [Sks-devel] Changes to sks-keyservers.net pools

[Jeremy T. Bouse]

On 05/11/2014 05:18 PM, Kristian Fiskerstrand wrote:
> On 05/11/2014 10:43 PM, Kristian Fiskerstrand wrote:
>> On 05/06/2014 02:55 PM, Jeremy T. Bouse wrote:
>>> On 05/06/2014 05:08 AM, Kristian Fiskerstrand wrote:
>>>> Dear lists,
>>>>
>>>> Following the release of SKS 1.1.5[0] the following changes
>>>> will be made to the pools of sks-keyservers.net
>>>>
>>>> subset.pool.sks-keyservers.net has been set to a minimum 
>>>> requirement of SKS 1.1.5 with immediate effect.
>>>>
>>>> Due to CVE-2014-3207[1] I want to bump 
>>>> hkps.pool.sks-keyservers.net to a requirement of 1.1.5 as this 
>>>> can potentially be in another security context / zone, however 
>>>> I'm giving this a grace period of (at least) 45-60 days to
>>>> allow server administrators to upgrade their servers.
>>
>> In recognition of package-maintainers backporting the security
>> fixes to older versions of SKS for stable systems I'm revising the
>> latter statement a bit. I have now implemented a test for affected
>> servers instead of relying on the version information. This is
>> currently active, and non-patched servers in the HKPS pool should
>> now show up with an orange flag for the HKPS column.
>>
> 
> Adding to that, this would also keep servers that are protected due to
> the reverse proxy configuration remaining.
> 

        So where are the details on how the reverse proxy can be reconfigured
to mitigate this issue until sks is upgraded? Assuming I'm understanding
your statement correctly.

signature.asc
Description: OpenPGP digital signature