[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Causes of "Vulnerable to CVE-2014-3207" flag in https://
From: |
Eric Germann |
Subject: |
Re: [Sks-devel] Causes of "Vulnerable to CVE-2014-3207" flag in https://sks-keyservers.net/status/ks-status.php?server= page |
Date: |
Sat, 30 Jun 2018 14:29:41 -0400 |
Thanks
So I should download all the source from the git repo as it seems 1.1.6 doesn’t
have the fixes?
> On Jun 30, 2018, at 13:55, Christiaan de Die le Clercq <address@hidden> wrote:
>
> Hi Eric,
>
> The flag is set when SKS-Keyserver is vulnerable for XSS injection,
> which is testable by going here:
> http://<YOUR SKS
> SERVER>/pks/lookup/undefined1%3CScRiPt%3Eprompt(972363)%3C/ScRiPt%3E
>
> More info on here:
> https://bitbucket.org/skskeyserver/sks-keyserver/issues/26/cve-2014-3207-unfiltered-xss
> and on here https://nvd.nist.gov/vuln/detail/CVE-2014-3207
>
>
> Kind regards,
>
> Christiaan de Die le Clercq
>
> Op 30-6-2018 om 3:20 PM schreef Eric Germann:
>> Greetings,
>>
>> Can anyone shed some light on what causes the "Vulnerable to
>> CVE-2014-3207” flag to be set in the status page
>> (https://sks-keyservers.net/status/ks-status.php?server=<servername>
>> <https://sks-keyservers.net/status/ks-status.php?server=%3Cservername%3E>)
>> for a server?
>>
>> Build configuration is sks-1.1.6 from source, nginx 1.15.0 configured as
>> laid out in https://keyserver.mattrude.com/guides/building-server/
>>
>> After a boot, the key server will show “No” in the CVE field and it
>> appears to be eligible for pool inclusion. After a while, it moves to
>> “Yes” and appears to be ineligible.
>>
>> I’m trying to understand what changes from just running as the CVE seems
>> to be on the SKS server side.
>>
>> Thanks for any insight
>>
>> EKG
>>
>>
>>
>> _______________________________________________
>> Sks-devel mailing list
>> address@hidden
>> https://lists.nongnu.org/mailman/listinfo/sks-devel
>>
>
smime.p7s
Description: S/MIME cryptographic signature