[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sks-devel] spodhuis keyserver down, pending OCaml CVE updates
From: |
Phil Pennock |
Subject: |
[Sks-devel] spodhuis keyserver down, pending OCaml CVE updates |
Date: |
Tue, 3 Oct 2017 17:28:38 -0400 |
TL;DR: sks-peer.spodhuis.org down until further notice, when I get time
to investigate properly. Down by administrator action. No need to
deconfigure peering.
Fuller version:
Today an advisory came through for Ubuntu updating their OCaml packages
to deal with a CVE in OCaml, where the compiler produces code which is
exploitable for code execution via buffer overflow. Fixed in OCaml
4.03.
https://usn.ubuntu.com/usn/usn-3437-1/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
This appears to have been publicly discussed in April 2016, but not
patched for that OS until today. I'm on FreeBSD. My OCaml is 4.02.3.
http://www.securityfocus.com/bid/89318/discuss states that OCaml 4.02.3
and earlier are vulnerable. I see no local patches in FreeBSD Ports. I
have not investigated in depth, nor do I have time to investigate,
whether or not SKS is an exploitable path or whether all reads are
sufficiently bound that an attacker can't inject enough data to attack.
Because I don't have time for this, per https://sks.spodhuis.org/
> This service may be withdrawn at any time and without notice to
> end-users. (Peers will be notified).
The service is temporarily withdrawn. I don't think it's necessary to
update any peering configurations, just know that this is deliberate and
you don't need to reach out.
When I get time to look in more depth (not before this weekend as the
soonest opportunity) or if updates for the compiler come through on
FreeBSD and I can just install updated compiler packages and then
rebuild SKS, then service will be restored.
I'm not chasing this any further today.
-Phil
signature.asc
Description: Digital signature
- [Sks-devel] spodhuis keyserver down, pending OCaml CVE updates,
Phil Pennock <=