Some public security stuff I posted after 2009

Some public security stuff I posted after 2009

  • 2011-09: Several bugs in apt-key + gpg on Ubuntu. If one can or spoof or own Ubuntu mirror, this gives remote root. source

  • 2015.09: RFC-2631, fips 186-3 and openssl's implementation of DSA appear broken (and possibly backdoored) source.

  • 2019.11: Minor information disclosure in punbb. source

  • 2020.06: Some potential security bugs in djbdns 1.05 source

  • 2020.05 Short notes on qmail security guarantee source

  • 2017.03 Rediscovering existential forgery in ECDSA source

  • 2016.03 elinks and links2 don't verify ssl certificates at all on Debian 8 source

  • 2016.03 openssl and libressl are shipping broken in 2009 elliptic curve secp112r1 source