Re: [Sks-devel] Causes of "Vulnerable to CVE-2014-3207" flag in https://sks-keyservers.net/status/ks-status.php?server= page

Sat, 30 Jun 2018 11:33:47 -0700 

Are you sure that this is a problem of the CVE Vulnerability and not
because of a non responding keyservers?


Am 30.06.18 um 20:29 schrieb Eric Germann:
> Thanks
>
> So I should download all the source from the git repo as it seems 1.1.6 
> doesn’t have the fixes?
>
>> On Jun 30, 2018, at 13:55, Christiaan de Die le Clercq 
>> <cont...@techwolf12.nl> wrote:
>>
>> Hi Eric,
>>
>> The flag is set when SKS-Keyserver is vulnerable for XSS injection,
>> which is testable by going here:
>> http://<YOUR SKS
>> SERVER>/pks/lookup/undefined1%3CScRiPt%3Eprompt(972363)%3C/ScRiPt%3E
>>
>> More info on here:
>> https://bitbucket.org/skskeyserver/sks-keyserver/issues/26/cve-2014-3207-unfiltered-xss
>> and on here https://nvd.nist.gov/vuln/detail/CVE-2014-3207
>>
>>
>> Kind regards,
>>
>> Christiaan de Die le Clercq
>>
>> Op 30-6-2018 om 3:20 PM schreef Eric Germann:
>>> Greetings,
>>>
>>> Can anyone shed some light on what causes the "Vulnerable to 
>>> CVE-2014-3207” flag to be set in the status page 
>>> (https://sks-keyservers.net/status/ks-status.php?server=<servername> 
>>> <https://sks-keyservers.net/status/ks-status.php?server=%3Cservername%3E>) 
>>> for a server?
>>>
>>> Build configuration is sks-1.1.6 from source, nginx 1.15.0 configured as 
>>> laid out in https://keyserver.mattrude.com/guides/building-server/
>>>
>>> After a boot, the key server will show “No” in the CVE field and it 
>>> appears to be eligible for pool inclusion.  After a while, it moves to 
>>> “Yes” and appears to be ineligible.
>>>
>>> I’m trying to understand what changes from just running as the CVE seems 
>>> to be on the SKS server side.
>>>
>>> Thanks for any insight
>>>
>>> EKG
>>>
>>>
>>>
>>> _______________________________________________
>>> Sks-devel mailing list
>>> Sks-devel@nongnu.org
>>> https://lists.nongnu.org/mailman/listinfo/sks-devel
>>>
>>
>>
>> _______________________________________________
>> Sks-devel mailing list
>> Sks-devel@nongnu.org
>> https://lists.nongnu.org/mailman/listinfo/sks-devel

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Reply via email to