sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] Changes to sks-keyservers.net pools

From: Kristian Fiskerstrand
Subject: Re: [Sks-devel] Changes to sks-keyservers.net pools
Date: Mon, 12 May 2014 17:01:05 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 05/12/2014 07:40 AM, Gabor Kiss wrote:
>> In recognition of package-maintainers backporting the security
>> fixes to older versions of SKS for stable systems I'm revising
>> the latter statement a bit. I have now implemented a test for
>> affected servers instead of relying on the version information.
>> This is currently active, and non-patched servers in the HKPS
>> pool should now show up with an orange flag for the HKPS column.
> 
> Eeerr... I know I speak against myself but keys.niif.hu is waiting
> for backported 1.1.5 Debian package but it got green flag.
> 
> Gabor

Your reverse proxy is URLencoding the input, so curl
"http://$1:11371/pks/lookup/undefined1<ScRiPt>prompt('CVE-2014-3207')</ScRiPt>"
 actually gives back </style></head><body><h1>Page not found</h1>Page
not found:
/pks/lookup/undefined1%3CScRiPt%3Eprompt('CVE-2014-3207')%3C/ScRiPt%3E</body></html>
which should not be exploitable.

- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Carpe noctem
Seize the night
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJTcOIsAAoJEPw7F94F4TagbMQP/0L0me5+7MaK0lh4gN0GSblZ
IrTdeNOz742RuDwLiV5C5Ma/j5Cs+wSLwpSppvuGMTELr7GlzFEx2iQBw5+h8PKX
uEbwp8g1dYyjfJEhlbXDQKnQKizQTdf231hRBD3flYAImT8r9TIjsw6+GACMl731
wC32Yqjkx8iTbNOSLZiZP6EJ+5z8z3qfj0Q7EKAUe0DFmQP4bB54SyNgwfWV7+0U
r7FtpZLsGJvXSmEF7fAvwhj0R4j1r43IQhxcSjtdrfQ1vlELL1KExgMa4+l+KEHS
68Xp+HpErsR29RyFy8kJPPQLuA1udGEwTtRs+wBfxivT3/MyNI4THC3ViDIwHchI
9Jbl7ryeEKUWht5h6RwSO9G1YhBMEJu1Kl5Rve/zz/qpcnU+N13LLF9fIVVVpxIB
ERkFP2eC1c12OMIxehE2/k6XTnYnjp642loPSx5keoKtmndP5K+9MqljtPqOWTXp
932gVqxOLN19j4wZV/wRMMPGAo7ynNlnACR9EixF2aKObFGiEweb+1WmtFv9qQ6d
VXmNP2Zo63INbBaX9/IZdJ8Cgbn/rTf4UcdIzfzDoUCR3sEUjSj5DxWU6Lg62OmD
u03pc59/BCZL3y1SSs88PxAO1335Zv59FZ+/azlhyMv5dmplALz3xqLAfEkrrcmo
fey2KzVU70Q1BpOEhk1B
=7B9H
-----END PGP SIGNATURE-----
reply via email to
[Prev in Thread] Current Thread [Next in Thread]