Date: Sun, 22 Mar 2015 12:54:57 -0400 (EDT) From: "David A. Wheeler" <dwheeler@...eeler.com> To: "oss-security" <oss-security@...ts.openwall.com> Subject: Re: CVE for Kali Linux On Sun, 22 Mar 2015 09:49:12 -0600, Kurt Seifried <kseifried@...hat.com> wrote: > I meant from the CVE assignment perspective. This was back in 1999, it's > only recently (e.g. the last 6 months or so?) that we've moved the > security bar to: > > downloads of updates via HTTP with no other protection == CVE On 2015-02-26 I reported to Cygwin that they had a similar man-in-the-middle issue. The Cygwin package manager (which downloaded all other packages) was unprotected and downloaded using http (as http://cygwin.com/setup-x86.exe or http://cygwin.com/setup-x86_64.exe). They changed it to load with HTTPS, and later added HTTP Strict Transport Security (HSTS). However, since they were the only site that could (realistically) correct it, I didn't request a CVE. (FYI, they quickly repaired that problem once they received the report.) Should I have requested a CVE? --- David A. Wheeler
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.