Re: phppgadmin / CVE-2019-10784

2020-03-13 Thread Sylvain Beucler
Hi, On 13/03/2020 22:09, Ola Lundqvist wrote: > On Fri, 13 Mar 2020 at 10:50, Emilio Pozuelo Monfort > wrote: > > On 12/03/2020 22:02, Brian May wrote: > > Ola Lundqvist mailto:o...@inguza.com>> writes: > > > >> I have ideas on how we can reduce the attac

Re: phppgadmin / CVE-2019-10784

2020-03-13 Thread Ola Lundqvist
Hi If this is the case, it looks like the perfect solution to the problem. And I think it should be strict too. // Ola On Fri, 13 Mar 2020 at 10:50, Emilio Pozuelo Monfort wrote: > On 12/03/2020 22:02, Brian May wrote: > > Ola Lundqvist writes: > > > >> I have ideas on how we can reduce the a

Re: Limiting concurrent claims?

2020-03-13 Thread Roberto C . Sánchez
On Fri, Mar 13, 2020 at 01:08:28PM +, Holger Levsen wrote: > On Wed, Mar 11, 2020 at 05:59:24PM +0100, Sylvain Beucler wrote: > > I regularly see a package claimed while the packager already claimed > > others, and then semi-automatically unclaimed after two weeks. Moreover, > > the package is

Re: Wheezy LTS not present in archive.debian.org

2020-03-13 Thread Piviul
Sylvain Beucler ha scritto il 06/03/20 alle 13:14: [...] Good question :) Snapshot saved the deb7u16 update as part of wheezy-security in 2018: https://snapshot.debian.org/package/samba/2%3A3.6.6-6%2Bdeb7u16/ There's a modified copy of Wheezy LTS as part of the ELTS project (deb7u19, 2019): htt

Re: Limiting concurrent claims?

2020-03-13 Thread Holger Levsen
On Wed, Mar 11, 2020 at 05:59:24PM +0100, Sylvain Beucler wrote: > I regularly see a package claimed while the packager already claimed > others, and then semi-automatically unclaimed after two weeks. Moreover, > the package is then claimed by another packager, which means the initial > work (if an

Re: amd64-microcode, test

2020-03-13 Thread Anton Gladky
Thanks again, Emilio, I have updated the package, uploaded it here [1] and attached a new debdiff. Now I have an experience of backporting packages into older releases. [1] https://people.debian.org/~gladk/amd64-microcode_jessie/ Regards Anton On 3/13/20 10:39 AM, Emilio Pozuelo Monfort wrote:

Re: phppgadmin / CVE-2019-10784

2020-03-13 Thread Emilio Pozuelo Monfort
On 12/03/2020 22:02, Brian May wrote: > Ola Lundqvist writes: > >> I have ideas on how we can reduce the attack possibilities but I cannot >> find any perfect solution to this. > > What about setting samesite=Lax in the session Cookie? Wouldn't you need Strict rather than Lax? Otherwise if basi

Re: amd64-microcode, test

2020-03-13 Thread Emilio Pozuelo Monfort
On 12/03/2020 21:29, Anton Gladky wrote: > Thanks Emilio and Salvatore for very valuable comments! > > I think then, that it would be more proper way to upload the lower > upstream version 3.20181128.1 into the Jessie and Stretch to escape > higher versions on older releases. Well you used 3.2018

Re: phppgadmin / CVE-2019-10784

2020-03-13 Thread Brian May
Ola Lundqvist writes: > I do not see how SameSite attribute would help in this case. Or how do you > mean that it would protect against this? This is what the SameSite attribute was designed for. To protect against CSRF attacks. If a user clicks a link that creates post request to another site,