Source: zsh
Version: 5.9-6
Severity: wishlist
Tags: patch
While looking for upstream fixes for zsh compatibility with gcc 14,
I noticed that the source package uses git:// and http:// URLs in
debian/upstream/metadata, which do not authenticate the identity of the
remote server and so are vulnerable to man-in-the-middle attacks. Please
replace them with their equivalent https:// URLs, for example by applying
the attached patch.
Thanks,
smcv
>From 047ed307dab5b74451570da93f59f465da5a3ccc Mon Sep 17 00:00:00 2001
From: Simon McVittie <s...@debian.org>
Date: Sat, 3 Aug 2024 16:39:08 +0100
Subject: [PATCH] d/upstream/metatata: Use secure URLs
The http and anonymous git protocols do not authenticate the identity
of the server, making them vulnerable to man-in-the-middle attacks.
Replace them with authenticated equivalents.
zsh.sourceforge.net redirects to zsh.sourceforge.io, so presumably
that address is now considered canonical.
---
debian/upstream/metadata | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
index c1bf49f68..9d905fd60 100644
--- a/debian/upstream/metadata
+++ b/debian/upstream/metadata
@@ -2,13 +2,13 @@
---
# https://wiki.debian.org/UpstreamMetadata
Bug-Submit: mailto:zsh-work...@zsh.org
-Changelog: http://zsh.sourceforge.net/releases.html
+Changelog: https://zsh.sourceforge.io/releases.html
Contact: zsh-work...@zsh.org
Security-Contact: zsh-secur...@zsh.org
-FAQ: http://zsh.sourceforge.net/FAQ/
+FAQ: https://zsh.sourceforge.io/FAQ/
Name: Z shell
Homepage: https://www.zsh.org/
-Homepage: http://zsh.sourceforge.net/
-Repository: git://git.code.sf.net/p/zsh/code
+Homepage: https://zsh.sourceforge.io/
+Repository: https://git.code.sf.net/p/zsh/code
Repository-Browse: https://sourceforge.net/p/zsh/code/ci/master/tree/
-Documentation: http://zsh.sourceforge.net/Doc/
+Documentation: https://zsh.sourceforge.io/Doc/
--
2.45.2
