RE: Security Breach Alert - CVS Home File Download Area Compromised

[Conrad T. Pino]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mark,

> From: Mark D. Baushke
> 
> Would it be useful to consider creating ascii-armoured detached
> signatures?

The freeware Windows 2000 PGP program I have only supports detached
binary "*.sig" files similar to what Derek generates.

> I had no problems downloading the windows binaries:
[snip]
> shows that the signature verified.

The Windows binary file area has always worked for me too.

Thanks for the confirmation.

> It seems that I was forced to use wget or curl to fetch
> a copy of the .sig file:

This is consistent with everyone else so far.

> doing so verified with no problems:

This is consistent with everyone else so far.

> I am wondering if the problem is with the CollabNet
> servlets/ProjectDocumentView JSP program not sending a reasonable
> Content-Type for the document pages in question.

I thought the same originally.  Perform a "wget -S" and you'll see
are file URL redirected to a servlet which redirects to file URL.

I used the final file URL in a test HTML page and the behaviors
were consistent in my limited test cases.  IMHO the issue may be
Apache related since that's what is delivering the content.

>       Later,

Ditto,

>       -- Mark

Conrad

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBQfgf3bNM28ubzTo9EQJzMgCeOd5jjroJwjb+78Ag5WeA9QYCiecAnRgM
rNtGV8RbR9PGWu7w47T8Sk74
=LeMX
-----END PGP SIGNATURE-----