[Sks-devel] spodhuis keyserver down, pending OCaml CVE updates

[Phil Pennock]

TL;DR: sks-peer.spodhuis.org down until further notice, when I get time
to investigate properly.  Down by administrator action.  No need to
deconfigure peering.

Fuller version:

Today an advisory came through for Ubuntu updating their OCaml packages
to deal with a CVE in OCaml, where the compiler produces code which is
exploitable for code execution via buffer overflow.  Fixed in OCaml
4.03.

https://usn.ubuntu.com/usn/usn-3437-1/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869

This appears to have been publicly discussed in April 2016, but not
patched for that OS until today.  I'm on FreeBSD.  My OCaml is 4.02.3.

http://www.securityfocus.com/bid/89318/discuss states that OCaml 4.02.3
and earlier are vulnerable.  I see no local patches in FreeBSD Ports.  I
have not investigated in depth, nor do I have time to investigate,
whether or not SKS is an exploitable path or whether all reads are
sufficiently bound that an attacker can't inject enough data to attack.

Because I don't have time for this, per https://sks.spodhuis.org/
> This service may be withdrawn at any time and without notice to
> end-users.  (Peers will be notified).

The service is temporarily withdrawn.  I don't think it's necessary to
update any peering configurations, just know that this is deliberate and
you don't need to reach out.

When I get time to look in more depth (not before this weekend as the
soonest opportunity) or if updates for the compiler come through on
FreeBSD and I can just install updated compiler packages and then
rebuild SKS, then service will be restored.

I'm not chasing this any further today.
-Phil

signature.asc
Description: Digital signature