Re: [Sks-devel] Causes of "Vulnerable to CVE-2014-3207" flag in https://sks-keyservers.net/status/ks-status.php?server= page

[Moritz Wirth]

Are you sure that this is a problem of the CVE Vulnerability and not because of a non responding keyservers?

Am 30.06.18 um 20:29 schrieb Eric Germann:

Thanks

So I should download all the source from the git repo as it seems 1.1.6 doesn’t have the fixes?

On Jun 30, 2018, at 13:55, Christiaan de Die le Clercq <address@hidden> wrote:

Hi Eric,

The flag is set when SKS-Keyserver is vulnerable for XSS injection,
which is testable by going here:
http://<YOUR SKS
SERVER>/pks/lookup/undefined1%3CScRiPt%3Eprompt(972363)%3C/ScRiPt%3E

More info on here:
https://bitbucket.org/skskeyserver/sks-keyserver/issues/26/cve-2014-3207-unfiltered-xss
and on here https://nvd.nist.gov/vuln/detail/CVE-2014-3207


Kind regards,

Christiaan de Die le Clercq

Op 30-6-2018 om 3:20 PM schreef Eric Germann:

Greetings,

Can anyone shed some light on what causes the "Vulnerable to 
CVE-2014-3207” flag to be set in the status page 
(https://sks-keyservers.net/status/ks-status.php?server=<servername> 
<https://sks-keyservers.net/status/ks-status.php?server=%3Cservername%3E>) 
for a server?

Build configuration is sks-1.1.6 from source, nginx 1.15.0 configured as 
laid out in https://keyserver.mattrude.com/guides/building-server/

After a boot, the key server will show “No” in the CVE field and it 
appears to be eligible for pool inclusion.  After a while, it moves to 
“Yes” and appears to be ineligible.

I’m trying to understand what changes from just running as the CVE seems 
to be on the SKS server side.

Thanks for any insight

EKG



_______________________________________________
Sks-devel mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/sks-devel

_______________________________________________
Sks-devel mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc
Description: OpenPGP digital signature