merproject (hadk, sdk) website security

asked 2017-09-12 23:20:20 +0200

path gravatar image

hadk & sdk instruct to download from (or build on) *.merproject.org, over http, and with no choice of checking signatures or md5 or sha sums. it gets even worse

https://www.ssllabs.com/ssltest/analyze.html?d=img.merproject.org SSL Report: build.merproject.org (5.9.68.173) Assessed on: Mon, 11 Sep 2017 20:42:51 UTC

This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016 -2107) and insecure. Grade set to F. This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade cap ped to B. This server accepts RC4 cipher, but only with older protocols. Grade capped to B

edit retag flag offensive close delete

Comments

1

You can always build locally, no need to use OBS...

juiceme ( 2017-09-13 15:51:22 +0200 )edit