#30480: rbm should check that a signed tag object contains the expected tag name ----------------------------------+------------------- Reporter: boklm | Owner: boklm Type: task | Status: new Priority: Medium | Milestone: Component: Applications/rbm | Version: Severity: Normal | Keywords: Actual Points: | Parent ID: Points: | Reviewer: Sponsor: | ----------------------------------+------------------- When we use the `tag_gpg_id` option, rbm will check that a tag is gpg signed. However it does not check that the tag object contains the expected tag name, and git does not check that either. As discussed in #30479, this can allow rollback attacks.
-- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30480> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs