Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 20 May 2013 19:48:23 +0800
From: Pavel Labushev <>
Subject: Re: CVE Request: Man in the middle on Gentoo Portage
 binary package installer

On Wed, 15 May 2013 12:46:57 +0200
"Jason A. Donenfeld" <> wrote:

> I reported this to the maintainer of Portage in Gentoo Bug #469888
> [1], and it was fixed in commit b5969af9f5 [2].
> Do note that while this commit solves the immediate problem with
> fetching /Packages, as detailed above, there may be other additional
> unconfirmed insecure uses of the vulnerable urlopen() function that
> have not yet been analyzed or fixed.

emerge --sync uses plain rsync without any integrity verification. One
should worry about /Packages not before he started obtaining portage
tree using emerge-webrsync together with the webrsync-gpg feature
instead of emerge --sync.

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.