PSA - Major Security bug in APT - patches available

jardows

2[H]4U
Joined
Jun 10, 2015
Messages
2,308
Yeah, this one really annoys me. Why are debian repos defaulted to http? Doesn't make sense to me. I understand that packages still must be signed before apt will install them, but as this man in the middle proves, that measure is trivial to overcome, and having domain level authentication plus package signing seems to be a much better solution to me.
 
yeah this was one of those where you go wait...what? You were doing what with the URL?

HTTPS wouldn't even fix it completely because of how they were treating the URL. All someone had to do at that point was compromise an HTTPS mirror (we all know that's not possible right? ;) )and they could still pull this off. Very bad bug indeed.
 
I don't know that I'd call it a bug. More of a design flaw. Good that security is being considered and addressed, nonetheless.
 
yeah this was one of those where you go wait...what? You were doing what with the URL?

HTTPS wouldn't even fix it completely because of how they were treating the URL. All someone had to do at that point was compromise an HTTPS mirror (we all know that's not possible right? ;) )and they could still pull this off. Very bad bug indeed.
Well, ideally the malicious https server wouldn't be able to be used because ideally APT would be designed to use proper authentication and reject a non-signed certificate. So while I agree using port 443 and a certificate wouldn't be enough, if proper authentication is in place then it would go a long way to preventing this issue.
 
Back
Top