Am 31.08.18 um 14:37 schrieb Michael Orlitzky:
> To fix it: if you're going to use a file under /tmp, then use a secure
> function like mktemp() to obtain it. But if you're running this job as a
> specific user, you might as well give him a special place to work like
> /var/tmp/clamav-updates
On 08/31/2018 05:00 AM, Henrik Hoeg Thomsen1 wrote:
> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net
This is probably exploitable by anyone on the system to gain root. If I
create the file /tmp/daily.cvd (remember that /tmp is world-writable),
$ touch -d '2018-01-01
tlf +45 51638561 mail h...@dk.ibm.com
From: Arnaud Jacques
To: clamav-users@lists.clamav.net
Date: 2018/08/31 11:53
Subject:Re: [clamav-users] secure download of .cvd files ?
Sent by:"clamav-users"
Le 31/08/2018 à 11:00, Henrik Hoeg Thomsen1 a écrit :
&
Agreed. But it wasn’t something we could support. Now we can. It that it
matters, but at least we can now.
Sent from my iPhone
> On Aug 31, 2018, at 07:16, Al Varnell wrote:
>
> And the answer is the same as it was then. There is nothing to be gained by
> supporting https. There is
OK, well then it's almost the same as it was back in 2014.
-Al-
On Fri, Aug 31, 2018 at 04:09 AM, Joel Esler (jesler) wrote:
>
> You should be able to do it it now. However, freshclam doesn’t support ssl.
> When we get ssl built into freshclam, https redirection would be available.
>
>
And the answer is the same as it was then. There is nothing to be gained by
supporting https. There is nothing sensitive about the database. Each component
is verified as genuine after downloaded. And the impact on the servers is less.
-Al-
On Fri, Aug 31, 2018 at 04:07 AM, Arnaud Jacques
You should be able to do it it now. However, freshclam doesn’t support ssl.
When we get ssl built into freshclam, https redirection would be available.
But I couldn’t do it before with the mirrors the way they were. We can now.
Sent from my iPhone
> On Aug 31, 2018, at 07:07, Arnaud
That's why I asked in 2014 about freshclam support of SSL :
http://lists.clamav.net/pipermail/clamav-users/2014-December/001098.html
Le 31/08/2018 à 12:08, Al Varnell a écrit :
I'm not aware of any, but all database components are verified for
authenticity by freshclam after download.
-Al-
I'm not aware of any, but all database components are verified for authenticity
by freshclam after download.
-Al-
On Fri, Aug 31, 2018 at 02:00 AM, Henrik Hoeg Thomsen1 wrote:
> Do clamav offer a encrypted download alternative to the unencrypted http
> based wget used to update the signatue
Le 31/08/2018 à 11:00, Henrik Hoeg Thomsen1 a écrit :
Do clamav offer a encrypted download alternative to the unencrypted http
based wget used to update the signatue database?
May be : https://packages.microsoft.com/clamav/
Should be enough reliable.
--
Cordialement / Best regards,
Arnaud
Do clamav offer a encrypted download alternative to the unencrypted http
based wget used to update the signatue database?
wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net:
/daily.cvd
wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net:
/main.cvd
11 matches
Mail list logo