Hi Eric, The flag is set when SKS-Keyserver is vulnerable for XSS injection, which is testable by going here: http://<YOUR SKS SERVER>/pks/lookup/undefined1%3CScRiPt%3Eprompt(972363)%3C/ScRiPt%3E
More info on here: https://bitbucket.org/skskeyserver/sks-keyserver/issues/26/cve-2014-3207-unfiltered-xss and on here https://nvd.nist.gov/vuln/detail/CVE-2014-3207 Kind regards, Christiaan de Die le Clercq Op 30-6-2018 om 3:20 PM schreef Eric Germann: > Greetings, > > Can anyone shed some light on what causes the "Vulnerable to > CVE-2014-3207” flag to be set in the status page > (https://sks-keyservers.net/status/ks-status.php?server=<servername> > <https://sks-keyservers.net/status/ks-status.php?server=%3Cservername%3E>) > for a server? > > Build configuration is sks-1.1.6 from source, nginx 1.15.0 configured as > laid out in https://keyserver.mattrude.com/guides/building-server/ > > After a boot, the key server will show “No” in the CVE field and it > appears to be eligible for pool inclusion. After a while, it moves to > “Yes” and appears to be ineligible. > > I’m trying to understand what changes from just running as the CVE seems > to be on the SKS server side. > > Thanks for any insight > > EKG > > > > _______________________________________________ > Sks-devel mailing list > Sks-devel@nongnu.org > https://lists.nongnu.org/mailman/listinfo/sks-devel >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
