- From: Frederik Braun <notifications@github.com>
- Date: Thu, 10 Jun 2021 00:36:39 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1250@github.com>
CC @ricea, @youennf, @annevk
Taking out our imperfect ban hammer again.
In the light of the recently published [ALPACA attack](https://alpaca-attack.com/), it might be worthwhile disallowing ports 989 and 990. We consider this the least controversial ports to add to the list, given they are assigned and below 1024.
One could also block port 2525, but that's... trickier?
Would be great if you, @ricea, could help us gather some numbers.
I know Microsoft did _something_ in https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31971 and Chromium was considering something in https://bugs.chromium.org/p/chromium/issues/detail?id=1197149
- [ ] At least two implementers are interested (and none opposed):
* Mozilla
* …
- [ ] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at:
* …
- [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed:
* Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=1197149 (?)
* Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1715684
* Safari: …
You can view, comment on, or merge this pull request online at:
https://github.com/whatwg/fetch/pull/1250
-- Commit Summary --
* Block port 989, 990 (ftps-data and ftp)
-- File Changes --
M fetch.bs (2)
-- Patch Links --
https://github.com/whatwg/fetch/pull/1250.patch
https://github.com/whatwg/fetch/pull/1250.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1250
Received on Thursday, 10 June 2021 07:37:25 UTC