PSA - Major Security bug in APT - patches available

Discussion in 'Linux/BSD/Free Systems' started by jardows, Jan 23, 2019.

  1. jardows

    jardows [H]ard|Gawd

    Messages:
    1,382
    Joined:
    Jun 10, 2015
    FNtastic likes this.
  2. Lunar

    Lunar Limp Gawd

    Messages:
    371
    Joined:
    Jul 26, 2007
    Yeah, this one really annoys me. Why are debian repos defaulted to http? Doesn't make sense to me. I understand that packages still must be signed before apt will install them, but as this man in the middle proves, that measure is trivial to overcome, and having domain level authentication plus package signing seems to be a much better solution to me.
     
  3. Vermillion

    Vermillion 2[H]4U

    Messages:
    3,999
    Joined:
    Apr 5, 2007
    yeah this was one of those where you go wait...what? You were doing what with the URL?

    HTTPS wouldn't even fix it completely because of how they were treating the URL. All someone had to do at that point was compromise an HTTPS mirror (we all know that's not possible right? ;) )and they could still pull this off. Very bad bug indeed.
     
  4. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,165
    Joined:
    Jul 6, 2013
    I don't know that I'd call it a bug. More of a design flaw. Good that security is being considered and addressed, nonetheless.
     
  5. Lunar

    Lunar Limp Gawd

    Messages:
    371
    Joined:
    Jul 26, 2007
    Well, ideally the malicious https server wouldn't be able to be used because ideally APT would be designed to use proper authentication and reject a non-signed certificate. So while I agree using port 443 and a certificate wouldn't be enough, if proper authentication is in place then it would go a long way to preventing this issue.