[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Changes to sks-keyservers.net pools
|
From: |
Kristian Fiskerstrand |
|
Subject: |
Re: [Sks-devel] Changes to sks-keyservers.net pools |
|
Date: |
Mon, 12 May 2014 17:17:01 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 05/12/2014 01:34 AM, Jeremy T. Bouse wrote:
> On 05/11/2014 05:18 PM, Kristian Fiskerstrand wrote:
>> On 05/11/2014 10:43 PM, Kristian Fiskerstrand wrote:
>>> On 05/06/2014 02:55 PM, Jeremy T. Bouse wrote:
>>>> On 05/06/2014 05:08 AM, Kristian Fiskerstrand wrote:
>>>>> Dear lists,
>>>>>
>>>>> Following the release of SKS 1.1.5[0] the following
>>>>> changes will be made to the pools of sks-keyservers.net
>>>>>
>>>>> subset.pool.sks-keyservers.net has been set to a minimum
>>>>> requirement of SKS 1.1.5 with immediate effect.
>>>>>
>>>>> Due to CVE-2014-3207[1] I want to bump
>>>>> hkps.pool.sks-keyservers.net to a requirement of 1.1.5 as
>>>>> this can potentially be in another security context / zone,
>>>>> however I'm giving this a grace period of (at least) 45-60
>>>>> days to allow server administrators to upgrade their
>>>>> servers.
>>>
>>> In recognition of package-maintainers backporting the security
>>> fixes to older versions of SKS for stable systems I'm revising
>>> the latter statement a bit. I have now implemented a test for
>>> affected servers instead of relying on the version information.
>>> This is currently active, and non-patched servers in the HKPS
>>> pool should now show up with an orange flag for the HKPS
>>> column.
>>>
>>
>> Adding to that, this would also keep servers that are protected
>> due to the reverse proxy configuration remaining.
>>
>
> So where are the details on how the reverse proxy can be
> reconfigured to mitigate this issue until sks is upgraded? Assuming
> I'm understanding your statement correctly.
>
For apache used as proxy, look into "Normally, mod_proxy will
canonicalise ProxyPassed URLs. But this may be incompatible with some
backends, particularly those that make use of PATH_INFO. The optional
nocanon keyword suppresses this, and passes the URL path "raw" to the
backend. Note that may affect the security of your backend, as it
removes the normal limited protection against URL-based attacks
provided by the proxy.
http://httpd.apache.org/docs/trunk/mod/mod_proxy.html#proxypass
- --
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Donec eris sospes, multos numerabis amicos.
Tempora si fuerint nubila, solus eris.
As long as you are wealthy,you will have many friends.
When the tough times come, you will be left alone
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJTcOXsAAoJEPw7F94F4TagjFIP/3ed04VbOOUPuacUiS2j64Zy
OwEICWpQ5e2uP6ql6u3W8+hOKbF9rsgmqAUp/xDCWtRQuT5GC6ZBmQSctGBVLjiY
YkMBXMTl0IITbj3mItLG1V3GWDOKvQn1feOei4CboxU5ASfSvXKF/6yMfGIoBUlM
hYOAI5JR2MxCyTGefktth7e9xOmvc8CTgQ+3Qi/KCbzg5HACXLX8ZLnbr1atuRd7
g4dTOwALzwy+dGmILoOjBLukRmsXz4cQI37l3W3NZT0s4XkQgYq0LaSTejNNRNBo
M8CjubB1sW2m08UMKr1g06s2tC0XaJsyVW4kqr4yKVdB6UhtVDw81Bm4oPKlchVn
63j8aN6IWipWnBa7dws28lM9xu0/UUuAPPaM4TLCVxhRqTFHbWOWUwGR5r9mvhRc
AC4VDzqOkzJu6PTEX02l6MSiNZ69xjaoKaxTo5wdM24QMf6Kl6AfMFywXRJAIrgT
RKoEVJhHCg0CzeGiJDaZ/mDICeVPSX+Y3324sZ/ce3uaX/0bIvLHh5FBj876eXXp
EE/UyGOojVkkJ+RLbiprT6zgGpJnQQso+li+WG410I7H9+DeOsG7wN30IQl7OGjG
hbBs3WwogYNh+4bvinnp/jHQ2bIQt+JGSavPqS2h+63EYVUw8brIY8o8XVw6FBxr
SSzwO6wMYuximtuY79oL
=psjC
-----END PGP SIGNATURE-----
Re: [Sks-devel] Changes to sks-keyservers.net pools, Dinko Korunic, 2014/05/06
Re: [Sks-devel] Changes to sks-keyservers.net pools, Daniel Austin, 2014/05/06
Message not available