-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 05/12/2014 01:34 AM, Jeremy T. Bouse wrote: > On 05/11/2014 05:18 PM, Kristian Fiskerstrand wrote: >> On 05/11/2014 10:43 PM, Kristian Fiskerstrand wrote: >>> On 05/06/2014 02:55 PM, Jeremy T. Bouse wrote: >>>> On 05/06/2014 05:08 AM, Kristian Fiskerstrand wrote: >>>>> Dear lists, >>>>> >>>>> Following the release of SKS 1.1.5[0] the following >>>>> changes will be made to the pools of sks-keyservers.net >>>>> >>>>> subset.pool.sks-keyservers.net has been set to a minimum >>>>> requirement of SKS 1.1.5 with immediate effect. >>>>> >>>>> Due to CVE-2014-3207[1] I want to bump >>>>> hkps.pool.sks-keyservers.net to a requirement of 1.1.5 as >>>>> this can potentially be in another security context / zone, >>>>> however I'm giving this a grace period of (at least) 45-60 >>>>> days to allow server administrators to upgrade their >>>>> servers. >>> >>> In recognition of package-maintainers backporting the security >>> fixes to older versions of SKS for stable systems I'm revising >>> the latter statement a bit. I have now implemented a test for >>> affected servers instead of relying on the version information. >>> This is currently active, and non-patched servers in the HKPS >>> pool should now show up with an orange flag for the HKPS >>> column. >>> >> >> Adding to that, this would also keep servers that are protected >> due to the reverse proxy configuration remaining. >> > > So where are the details on how the reverse proxy can be > reconfigured to mitigate this issue until sks is upgraded? Assuming > I'm understanding your statement correctly. >
For apache used as proxy, look into "Normally, mod_proxy will canonicalise ProxyPassed URLs. But this may be incompatible with some backends, particularly those that make use of PATH_INFO. The optional nocanon keyword suppresses this, and passes the URL path "raw" to the backend. Note that may affect the security of your backend, as it removes the normal limited protection against URL-based attacks provided by the proxy. http://httpd.apache.org/docs/trunk/mod/mod_proxy.html#proxypass - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Donec eris sospes, multos numerabis amicos. Tempora si fuerint nubila, solus eris. As long as you are wealthy,you will have many friends. When the tough times come, you will be left alone -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJTcOXsAAoJEPw7F94F4TagjFIP/3ed04VbOOUPuacUiS2j64Zy OwEICWpQ5e2uP6ql6u3W8+hOKbF9rsgmqAUp/xDCWtRQuT5GC6ZBmQSctGBVLjiY YkMBXMTl0IITbj3mItLG1V3GWDOKvQn1feOei4CboxU5ASfSvXKF/6yMfGIoBUlM hYOAI5JR2MxCyTGefktth7e9xOmvc8CTgQ+3Qi/KCbzg5HACXLX8ZLnbr1atuRd7 g4dTOwALzwy+dGmILoOjBLukRmsXz4cQI37l3W3NZT0s4XkQgYq0LaSTejNNRNBo M8CjubB1sW2m08UMKr1g06s2tC0XaJsyVW4kqr4yKVdB6UhtVDw81Bm4oPKlchVn 63j8aN6IWipWnBa7dws28lM9xu0/UUuAPPaM4TLCVxhRqTFHbWOWUwGR5r9mvhRc AC4VDzqOkzJu6PTEX02l6MSiNZ69xjaoKaxTo5wdM24QMf6Kl6AfMFywXRJAIrgT RKoEVJhHCg0CzeGiJDaZ/mDICeVPSX+Y3324sZ/ce3uaX/0bIvLHh5FBj876eXXp EE/UyGOojVkkJ+RLbiprT6zgGpJnQQso+li+WG410I7H9+DeOsG7wN30IQl7OGjG hbBs3WwogYNh+4bvinnp/jHQ2bIQt+JGSavPqS2h+63EYVUw8brIY8o8XVw6FBxr SSzwO6wMYuximtuY79oL =psjC -----END PGP SIGNATURE----- _______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel