Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Re: Distributing Patches in Email

Re: Distributing Patches in Email

From: Dirk Nimmich <nimmich_at_UNI-MUENSTER.DE>
Date: Fri, 3 Mar 2000 18:22:56 +0100

Scott Blake wrote:
> An exception the rule Marc mentions should be non-executable,
> strongly signed updates. Concerned users can easily verify the
> signature manually (the software does so automatically) to be
> certain of the file's provenance and integrity.
[...]
> Btw, if anyone sees a flaw in our approach, I'd love to hear it.

You didn't say anything about the verification of signed files and
how those patches are applied, so the "generic" answer to this is:
Replay attack with signed files known to have security bugs. Can be
avoided if dates (of the signature, not of the message) and file
versions are checked, too.
Received on Mar 06 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos