Re: golang-go.crypto / CVE-2019-11841
Hi So the header is not signed. Good to know. I think we can ignore the spoofing issue. Yes it is possible to spoof it but on the other hand you can just omit it even if it is checked. I think this is a minor issue. If at all an issue. But as always I may have missed some important point. The important thing is that the accepted checksums are strong. With that in place I fail to see a security issue. / Ola Den sön 13 sep. 2020 09:37Brian May skrev: > Ola Lundqvist writes: > > > Looking at the code and your email I have some concerns. > > > > Isn't the header part of the "signed" argument? If it is not, then there > is > > no point of checking it since you can then just change the header anyway. > > If it is part of the signed message it is possible for the function to > > decode it and check it. > > > > Do the calling application need to do the check, can't > > CheckDetachedSignature do it? > > > > Or have I missed something? > > CheckDetachedSignature is called like: > > openpgp.CheckDetachedSignature(keyring, bytes.NewBuffer(b.Bytes), > b.ArmoredSignature.Body) > > b.Headers has the header we need to check, but we only pass the body > b.Bytes and the signature b.ArmoredSignature.Body. As in the headers > aren't covered by the signature (I assume there is a good reason...). > > Does this make sense now? > -- > Brian May >
Re: Backports needed for Firefox/Thunderbird ESR 78 in Buster/Stretch
Hi. Any progress here? Or any way to help? Am 01.09.20 um 19:17 schrieb Moritz Muehlenhoff: >> It may be more future-proof, in case we need it for a future >> rustc for the next ESR bump. > > My gut feeling is the next ESR thing will need LLVM 11 or so, but happy to > be proven wrong :-) So maybe let's directly move to 10 directly. > > Once uploaded and acked threw NEW, I'll upload wasi-lib rebuilt against > LLVM, then. >
(semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
hi, today five packages were unclaimed for LTS: - freerdp (Mike Gabriel) - gnome-shell (Mike Gabriel) - php-horde-trean (Mike Gabriel) - ruby-json-jwt (Utkarsh Gupta) - ruby-kaminari (Utkarsh Gupta) - ruby-rack-cors (Utkarsh Gupta) and two for ELTS: - samba (Mike Gabriel) - squid3 (Markus Koschany) Then, two people probably claimed too many packages: - Adrian Bunk with 5 packages: nss osc qt4-x11 qtbase-opensource-src zeromq3 - Mike Gabriel with 5 packages: freerdp gnome-shell guacamole-client php-horde-trean samba (though 3 from Mike I just unclaimed.) Finally, there were no DLAs which have been reserved but not yet been published yay! -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
