|
Message-Id: <E1YZj9N-0003Th-Gn@rmm6prod02.runbox.com> Date: Sun, 22 Mar 2015 12:54:57 -0400 (EDT) From: "David A. Wheeler" <dwheeler@...eeler.com> To: "oss-security" <oss-security@...ts.openwall.com> Subject: Re: CVE for Kali Linux On Sun, 22 Mar 2015 09:49:12 -0600, Kurt Seifried <kseifried@...hat.com> wrote: > I meant from the CVE assignment perspective. This was back in 1999, it's > only recently (e.g. the last 6 months or so?) that we've moved the > security bar to: > > downloads of updates via HTTP with no other protection == CVE On 2015-02-26 I reported to Cygwin that they had a similar man-in-the-middle issue. The Cygwin package manager (which downloaded all other packages) was unprotected and downloaded using http (as http://cygwin.com/setup-x86.exe or http://cygwin.com/setup-x86_64.exe). They changed it to load with HTTPS, and later added HTTP Strict Transport Security (HSTS). However, since they were the only site that could (realistically) correct it, I didn't request a CVE. (FYI, they quickly repaired that problem once they received the report.) Should I have requested a CVE? --- David A. Wheeler
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.