brson
commented
8 years ago I need to learn more about this attack, because I'm mostly just guessing what it is from that blog post.
Open brson opened 8 years ago
brson
commented
8 years ago I need to learn more about this attack, because I'm mostly just guessing what it is from that blog post.
eternaleye
commented
8 years ago The basic idea is that the current version, C, is vulnerable to downgrade attacks (and nothing else), and an older version O is vulnerable to something worse (such as RCE). The attacker can then use a downgrade attack to take the victim who is on C back to O, and then use the worse vulnerability.
brson
commented
8 years ago Thanks for the clarification @eternaleye !
ms-ati
commented
1 year ago Hello from Dec 2022! 5 1/2 years later, is this still an issue to be addressed?
Discussed briefly on the sandstorm blog post on curl | sh. The installer should refuse to upgrade to old revisions.