On 05/11/2014 05:18 PM, Kristian Fiskerstrand wrote: > On 05/11/2014 10:43 PM, Kristian Fiskerstrand wrote: >> On 05/06/2014 02:55 PM, Jeremy T. Bouse wrote: >>> On 05/06/2014 05:08 AM, Kristian Fiskerstrand wrote: >>>> Dear lists, >>>> >>>> Following the release of SKS 1.1.5[0] the following changes >>>> will be made to the pools of sks-keyservers.net >>>> >>>> subset.pool.sks-keyservers.net has been set to a minimum >>>> requirement of SKS 1.1.5 with immediate effect. >>>> >>>> Due to CVE-2014-3207[1] I want to bump >>>> hkps.pool.sks-keyservers.net to a requirement of 1.1.5 as this >>>> can potentially be in another security context / zone, however >>>> I'm giving this a grace period of (at least) 45-60 days to >>>> allow server administrators to upgrade their servers. >> >> In recognition of package-maintainers backporting the security >> fixes to older versions of SKS for stable systems I'm revising the >> latter statement a bit. I have now implemented a test for affected >> servers instead of relying on the version information. This is >> currently active, and non-patched servers in the HKPS pool should >> now show up with an orange flag for the HKPS column. >> > > Adding to that, this would also keep servers that are protected due to > the reverse proxy configuration remaining. >
So where are the details on how the reverse proxy can be reconfigured to mitigate this issue until sks is upgraded? Assuming I'm understanding your statement correctly.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel