Re: Security Breach Alert - CVS Home File Download Area Compromised

[Mark D. Baushke]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Would it be useful to consider creating ascii-armoured detached
signatures?

   gpg -a --detach-sign <filename>.gz

should create a <filename>.gz.asc which may not have the same problems
as a binary <filename>.gz.sig file.

For what it is worth, here is what I got with regard to signature
verification using firefox on my gentoo GNU/Linux box.

I had no problems downloading the windows binaries:

   https://ccvs.cvshome.org/files/documents/19/623/cvs-1-12-11.zip
or
   https://ccvs.cvshome.org/files/documents/19/622/cvs-1-12-11.zip.sig

using firefox. Using gpg on the .sig file:

% gpg cvs-1-12-11.zip.sig 
gpg: Signature made Tue Dec 14 12:42:58 2004 PST using DSA key ID 9BCD3A3D
gpg: Good signature from "Conrad T. Pino <Conrad@Pino.com>"
%

shows that the signature verified.

For the macosx binaries, I needed to tell firefox to 'Save As' to get the

https://ccvs.cvshome.org/files/documents/19/681/cvs-1.12.11-Darwin-7.7.0-powerpc.gz

file downloaded. It seems that I was forced to use wget or curl to fetch
a copy of the .sig file:

https://ccvs.cvshome.org/files/documents/19/682/cvs-1.12.11-Darwin-7.7.0-powerpc.gz.sig

doing so verified with no problems:

% gpg cvs-1.12.11-Darwin-7.7.0-powerpc.gz.sig 
gpg: Signature made Mon Jan 17 11:55:38 2005 PST using DSA key ID 9BCD3A3D
gpg: Good signature from "Conrad T. Pino <Conrad@Pino.com>"
% 

I am wondering if the problem is with the CollabNet
servlets/ProjectDocumentView JSP program not sending a reasonable
Content-Type for the document pages in question.

        Later,
        -- Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQFB+BfA3x41pRYZE/gRAgKDAKCBq+X4EZmoi8qWcrDNe1hVbdyaFACeMOgJ
8PKJHN03GS47EgEdoOJlE/Q=
=R9Lj
-----END PGP SIGNATURE-----