|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Distributing Patches in Email
From: Dirk Nimmich (nimmich
UNI-MUENSTER.DE)Date: Fri Mar 03 2000 - 11:22:56 CST
- Next message: Conde Vampiro: "Roses Labs BisonWare FTP Advisory"
- Previous message: Derek Callaway: "(fwd) Dump/restore 0.4b15 released"
- In reply to: Scott Blake: "Distributing Patches in Email (was: RE: EZ Shopper 3.0 shopping cart CGI remote command execution)"
- Reply: Dirk Nimmich: "Re: Distributing Patches in Email"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Scott Blake wrote:
> An exception the rule Marc mentions should be non-executable,
> strongly signed updates. Concerned users can easily verify the
> signature manually (the software does so automatically) to be
> certain of the file's provenance and integrity.
[...]
> Btw, if anyone sees a flaw in our approach, I'd love to hear it.
You didn't say anything about the verification of signed files and
how those patches are applied, so the "generic" answer to this is:
Replay attack with signed files known to have security bugs. Can be
avoided if dates (of the signature, not of the message) and file
versions are checked, too.
- Next message: Conde Vampiro: "Roses Labs BisonWare FTP Advisory"
- Previous message: Derek Callaway: "(fwd) Dump/restore 0.4b15 released"
- In reply to: Scott Blake: "Distributing Patches in Email (was: RE: EZ Shopper 3.0 shopping cart CGI remote command execution)"
- Reply: Dirk Nimmich: "Re: Distributing Patches in Email"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]