Re: libproxy as external dependency

From: Dan Winship <danw gnome org>
To: Michael Banck <mbanck debian org>
Cc: desktop-devel-list gnome org
Subject: Re: libproxy as external dependency
Date: Thu, 18 Dec 2008 11:25:04 -0500

Michael Banck wrote:
> FYI, a member of the Debian security team raised concerns:
> 
> "WPAD is a broken protocol with security issues inherent to the DNS
> devolution mechanism (which is also performed by libproxy).  Please
> don't add implementations to the Debian archive."
> 
> http://lists.debian.org/debian-devel/2008/12/msg00737.html
> 
> Forwarding here without further comments as I have no idea about the
> security implications.

As noted in the followups:

    - The fact that it's broken doesn't change the fact that lots of
      sites use it

    - It's already implemented by other programs in the distro anyway
      (notably Firefox)

    - Its use in libproxy can be disabled system-wide by the
      administrator

I think in current libproxy WPAD is enabled by default though. We should
make sure that's changed.

-- Dan

Follow-Ups:
- Re: libproxy as external dependency
  - From: Nathaniel McCallum

References:
- Re: libproxy as external dependency
  - From: Michael Banck

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]