merproject (hadk, sdk) website security
asked 2017-09-12 23:20:20 +0300
hadk & sdk instruct to download from (or build on) *.merproject.org, over http, and with no choice of checking signatures or md5 or sha sums. it gets even worse
https://www.ssllabs.com/ssltest/analyze.html?d=img.merproject.org SSL Report: build.merproject.org (5.9.68.173) Assessed on: Mon, 11 Sep 2017 20:42:51 UTC
This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016 -2107) and insecure. Grade set to F. This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade cap ped to B. This server accepts RC4 cipher, but only with older protocols. Grade capped to B
You can always build locally, no need to use OBS...
juiceme ( 2017-09-13 15:51:22 +0300 )edit