[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 22 Mar 2015 12:54:57 -0400 (EDT)
From: "David A. Wheeler" <dwheeler@...eeler.com>
To: "oss-security" <oss-security@...ts.openwall.com>
Subject: Re: CVE for Kali Linux
On Sun, 22 Mar 2015 09:49:12 -0600, Kurt Seifried <kseifried@...hat.com> wrote:
> I meant from the CVE assignment perspective. This was back in 1999, it's
> only recently (e.g. the last 6 months or so?) that we've moved the
> security bar to:
>
> downloads of updates via HTTP with no other protection == CVE
On 2015-02-26 I reported to Cygwin that they had a similar man-in-the-middle issue.
The Cygwin package manager (which downloaded all other packages) was unprotected
and downloaded using http (as http://cygwin.com/setup-x86.exe or http://cygwin.com/setup-x86_64.exe).
They changed it to load with HTTPS, and later added HTTP Strict Transport Security (HSTS).
However, since they were the only site that could (realistically) correct it, I didn't
request a CVE. (FYI, they quickly repaired that problem once they received the report.)
Should I have requested a CVE?
--- David A. Wheeler
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
