[FUG-BR] Procedimento para atualizar PORT vulnerável

[Ricardo Nabinger Sanchez]

On Wed, 26 Sep 2007 11:57:32 -0300
"Celso Viana" <celso.vianna em gmail.com> wrote:

> Ou seja?

Pode ser vulnerável, visto que o "problema" é com o protocolo em si, e
não com a aplicação (cvsup ou csup):

Historically, most people have used CVSup to keep their ports tree up to
date, but CVSup has a number of limitations:

    * CVSup is insecure. The protocol uses no encryption or signing, and
any attacker who can intercept the connection can insert arbitrary data
into the tree you are updating.
    * CVSup isn't end-to-end. Related to the previous point, this means
that anyone who can compromise a CVSup mirror can feed arbitrary data to
the people who are using that mirror.
    * CVSup isn't designed for frequent small updates. While CVSup is
very good at distributing CVS trees, and is very efficient for updating
a tree which has been significantly changed (eg, by a month or more of
commits), it transmits a list of all the files in the tree, which makes
it quite inefficient if only a few files have changed.
    * CVSup uses a custom protocol. This can cause problems for people
behind firewalls -- outgoing connections on port 5999 need to be
permitted -- and it needs a heavyweight server (cvsupd). 

http://www.daemonology.net/portsnap/

-- 
Ricardo Nabinger Sanchez                   rnsanchez em gmail.com
Powered by FreeBSD

  "Left to themselves, things tend to go from bad to worse."