Re: libproxy as external dependency

Michael Banck wrote:
> FYI, a member of the Debian security team raised concerns:
> "WPAD is a broken protocol with security issues inherent to the DNS
> devolution mechanism (which is also performed by libproxy).  Please
> don't add implementations to the Debian archive."
> Forwarding here without further comments as I have no idea about the
> security implications.

As noted in the followups:

    - The fact that it's broken doesn't change the fact that lots of
      sites use it

    - It's already implemented by other programs in the distro anyway
      (notably Firefox)

    - Its use in libproxy can be disabled system-wide by the

I think in current libproxy WPAD is enabled by default though. We should
make sure that's changed.

-- Dan

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]