Re: [Tails-dev] A bunch of old but possibly interesting Poli…

Delete this message

Reply to this message
Autor: Jacob Appelbaum
Data:  
A: intrigeri
CC: Juliusz Chroboczek, The Tails public development discussion list, Jacob Appelbaum
Assumpte: Re: [Tails-dev] A bunch of old but possibly interesting Polipo ideas and patches
On 03/25/2012 08:49 AM, intrigeri wrote:
> Hi,
>
> intrigeri wrote (06 Jan 2012 15:53:31 GMT) :
>> Hi Juliusz,
>
>> I'm writing you on behalf of the Tails[0] development team.
>> We've been shipping Polipo for years in Tails.
>
>> We were alerted by Jacob Appelbaum about a few bugs in Polipo that
>> could have security consequences.
>
>> This warning came with a bunch of ideas and patches; not all are
>> complete but they may be of some interest to you; in case these
>> patches were never submitted to you, please find them attached to
>> this email.
>
>> We would be very interested to read your thoughts about the security
>> issues suggested by Jacob.
>
> Ping?
>
> Any ETA to comment on the the potential security issues Jacob
> Appelbaum alerted us about?
>


Those issues are pretty old, I wouldn't be surprised if it was all dead
code by now.

> Given I'm neither familiar with the code nor with the issues Jacob
> reported, I'm not comfortable going the CVE / Debian bugs tagged
> security way myself, but I strongly feel someone who cares about
> Polipo should do something about it.
>
>> Besides, our users have reported to us they could not download files
>> bigger than chunkHighMark; is it expected? Fixed in Git? We've found
>> a related bug report about it there:
>> https://trac.torproject.org/projects/tor/ticket/1149
>
> This is much less urgent, and should probably not block your
> commenting upon the potential security issues.
>


I think this is actually equally as urgent. You can't use polipo to
download tails, right?

All the best,
Jacob