From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Kelly Dean <kelly@prtime.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#19479: Emacs package manager vulnerable to replay attacks
Date: Tue, 24 Feb 2015 08:47:23 +0000
Message-ID: <bNYHpEiZCkauoMSMdrNGBBL3XObzeRBVpRxjzurW4Ql__36328.4237836071$1424767770$gmane$org@local>
References: <87iogt8ipi.fsf@violet.siamics.net>
	<F8kXGdneKQWh6B82cOwdrCdBAdO1h3o9WXOqLmHuB8T@local>
	<iHwGTo6KPGu52f1tOLq6Ek7KcZ7r2tufrT1z4GnPndF@local>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: ger.gmane.org 1424767770 8770 80.91.229.3 (24 Feb 2015 08:49:30 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Tue, 24 Feb 2015 08:49:30 +0000 (UTC)
Cc: 19479@debbugs.gnu.org, emacs-devel@gnu.org
To: Ivan Shmakov <ivan@siamics.net>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Feb 24 09:49:17 2015
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1YQBB2-0001MF-Ry
	for geb-bug-gnu-emacs@m.gmane.org; Tue, 24 Feb 2015 09:49:13 +0100
Original-Received: from localhost ([::1]:47406 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1YQBB2-0004Tk-1p
	for geb-bug-gnu-emacs@m.gmane.org; Tue, 24 Feb 2015 03:49:12 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:43310)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1YQBAt-0004LA-H4
	for bug-gnu-emacs@gnu.org; Tue, 24 Feb 2015 03:49:08 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1YQBAs-0008Io-PX
	for bug-gnu-emacs@gnu.org; Tue, 24 Feb 2015 03:49:03 -0500
Original-Received: from debbugs.gnu.org ([140.186.70.43]:52596)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1YQBAs-0008Ik-MJ
	for bug-gnu-emacs@gnu.org; Tue, 24 Feb 2015 03:49:02 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1YQBAs-00007T-Bv
	for bug-gnu-emacs@gnu.org; Tue, 24 Feb 2015 03:49:02 -0500
X-Loop: help-debbugs@gnu.org
Resent-From: Kelly Dean <kelly@prtime.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Tue, 24 Feb 2015 08:49:02 +0000
Resent-Message-ID: <handler.19479.B19479.1424767731443@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 19479
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: security
Original-Received: via spool by 19479-submit@debbugs.gnu.org id=B19479.1424767731443
	(code B ref 19479); Tue, 24 Feb 2015 08:49:02 +0000
Original-Received: (at 19479) by debbugs.gnu.org; 24 Feb 2015 08:48:51 +0000
Original-Received: from localhost ([127.0.0.1]:56194 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1YQBAg-000075-Uj
	for submit@debbugs.gnu.org; Tue, 24 Feb 2015 03:48:51 -0500
Original-Received: from relay4-d.mail.gandi.net ([217.70.183.196]:49720)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <kelly@prtime.org>) id 1YQBAe-00006v-SH
	for 19479@debbugs.gnu.org; Tue, 24 Feb 2015 03:48:49 -0500
Original-Received: from mfilter16-d.gandi.net (mfilter16-d.gandi.net [217.70.178.144])
	by relay4-d.mail.gandi.net (Postfix) with ESMTP id 03DAB172081;
	Tue, 24 Feb 2015 09:48:47 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter16-d.gandi.net
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "Cc"
Original-Received: from relay4-d.mail.gandi.net ([217.70.183.196])
	by mfilter16-d.gandi.net (mfilter16-d.gandi.net [10.0.15.180])
	(amavisd-new, port 10024)
	with ESMTP id iffBTboRSMlU; Tue, 24 Feb 2015 09:48:45 +0100 (CET)
X-Originating-IP: 66.220.3.179
Original-Received: from localhost (gm179.geneticmail.com [66.220.3.179])
	(Authenticated sender: kelly@prtime.org)
	by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 962B4172077;
	Tue, 24 Feb 2015 09:48:43 +0100 (CET)
In-Reply-To: <87iogt8ipi.fsf@violet.siamics.net>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 140.186.70.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:99757
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/99757>

Note, I'm not implementing the metadata-replay fix, because it's unlikely my patch would be accepted, so somebody else will need to do it. See my January 11th message to bug #19479 for a description of how to do it.