Re: twitter-bootstrap / CVE-2018-14040 / CVE-2018-14041 / CVE-2018-14042

2018-09-02 Thread Antoine Beaupré
On 2018-09-02 17:08:09, Brian May wrote: > Antoine Beaupré writes: > >> What do you think? Should we push this forward? > > I am somewhat concerned that by fixing this we might be breaking > something. Even if it is 100% broken behaviour, maybe some application > depends on this? > > Is the

Re: twitter-bootstrap / CVE-2018-14040 / CVE-2018-14041 / CVE-2018-14042

2018-09-02 Thread Brian May
Antoine Beaupré writes: > What do you think? Should we push this forward? I am somewhat concerned that by fixing this we might be breaking something. Even if it is 100% broken behaviour, maybe some application depends on this? Is the potential attack bad enough to justify potential breakage? I

Re: twitter-bootstrap / CVE-2018-14040 / CVE-2018-14041 / CVE-2018-14042

2018-08-31 Thread Antoine Beaupré
On 2018-08-29 12:23:54, Brian May wrote: > Antoine Beaupré writes: > >> On 2018-08-08 17:35:52, Brian May wrote: >>> If I got this right, we cannot use $(xyz) unless the value of xyz is >>> trusted. Otherwise executing $(xyz) can result in the execution of code >>> if xyz is something like "".

Re: twitter-bootstrap / CVE-2018-14040 / CVE-2018-14041 / CVE-2018-14042

2018-08-28 Thread Brian May
Antoine Beaupré writes: > On 2018-08-08 17:35:52, Brian May wrote: >> If I got this right, we cannot use $(xyz) unless the value of xyz is >> trusted. Otherwise executing $(xyz) can result in the execution of code >> if xyz is something like "". This >> happens immediately, and even if you don't

Re: twitter-bootstrap / CVE-2018-14040 / CVE-2018-14041 / CVE-2018-14042

2018-08-27 Thread Antoine Beaupré
On 2018-08-08 17:35:52, Brian May wrote: > If I got this right, we cannot use $(xyz) unless the value of xyz is > trusted. Otherwise executing $(xyz) can result in the execution of code > if xyz is something like "". This > happens immediately, and even if you don't use the return value. > > > I

Re: twitter-bootstrap / CVE-2018-14040 / CVE-2018-14041 / CVE-2018-14042

2018-08-09 Thread Paul Wise
On Thu, 2018-08-09 at 16:57 +1000, Brian May wrote: > I could still ping the host, so probably not a routing problem. Next time try connecting to port 80/443 on the IP address without sending any data. That would eliminate a HTTP-layer issue. > Looks like I can connect today however, so maybe

Re: twitter-bootstrap / CVE-2018-14040 / CVE-2018-14041 / CVE-2018-14042

2018-08-09 Thread Brian May
Paul Wise writes: > The site has been moved to MaxCDN so it is likely that they have > blackholed your network or there is some sort of routing issue between > you and their local node. I could still ping the host, so probably not a routing problem. Looks like I can connect today however, so

Re: twitter-bootstrap / CVE-2018-14040 / CVE-2018-14041 / CVE-2018-14042

2018-08-08 Thread Paul Wise
On Wed, Aug 8, 2018 at 3:35 PM, Brian May wrote: > Sidenote: Curiously I cannot connect to > https://security-tracker.debian.org/ today from this machine on this > network... Connections always time out. Probably something weird with my > network, however other webpages appear to be fine. If I