Bugtraq mailing list archives
Re: Distributing Patches in Email
From: nimmich () UNI-MUENSTER DE (Dirk Nimmich)
Date: Fri, 3 Mar 2000 18:22:56 +0100
Scott Blake wrote:
An exception the rule Marc mentions should be non-executable, strongly signed updates. Concerned users can easily verify the signature manually (the software does so automatically) to be certain of the file's provenance and integrity.
[...]
Btw, if anyone sees a flaw in our approach, I'd love to hear it.
You didn't say anything about the verification of signed files and how those patches are applied, so the "generic" answer to this is: Replay attack with signed files known to have security bugs. Can be avoided if dates (of the signature, not of the message) and file versions are checked, too.
Current thread:
- Re: EZ Shopper 3.0 shopping cart CGI remote command execution Marc (Feb 29)
- Distributing Patches in Email (was: RE: EZ Shopper 3.0 shopping cart CGI remote command execution) Scott Blake (Mar 01)
- Re: Distributing Patches in Email Dirk Nimmich (Mar 03)
- NT Roaming Profiles blocked by NAV 7.x for Corp. Edition Peter Heath (Mar 03)
- Oracle installer problem Keyser Soze (Mar 05)
- Roses Labs BisonWare FTP Advisory Conde Vampiro (Mar 05)
- Distributing Patches in Email (was: RE: EZ Shopper 3.0 shopping cart CGI remote command execution) Scott Blake (Mar 01)