Bug#305142: CAN-2005-2214: insegure apt-setup

To: Martin Schulze <joey@infodrom.org>, 305142@bugs.debian.org
Subject: Bug#305142: CAN-2005-2214: insegure apt-setup
From: Joey Hess <joeyh@debian.org>
Date: Tue, 12 Jul 2005 13:30:21 +0300
Message-id: <[🔎] 20050712103021.GA6897@kitenet.net>
Reply-to: Joey Hess <joeyh@debian.org>, 305142@bugs.debian.org
In-reply-to: <[🔎] 20050712053142.GB9098@finlandia.infodrom.north.de>
References: <[🔎] 20050712053142.GB9098@finlandia.infodrom.north.de>

Martin Schulze wrote:
> severity 305142 important

This is severity inflation: This bug affects a minority of a minority of
users (users who have a proxy that requires a password, have some reason
to use it for apt, and somehow have managed to avoid the inherent
security issues of the http password being sent in the clear over the
network).

> tags 305142 security
> thanks
> 
> Is there any motion on this problem?

The only real solution to this bug is to remove support for passwords in
the proxy setting. Making the file mode 600 by default, or even only if
a password is present cripples the system for regular users by breaking
apt-get source and hardly makes it anymore secure anyway.

-- 
see shy jo

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#305142: CAN-2005-2214: insegure apt-setup
  - From: Petter Reinholdtsen <pere@hungry.com>

References:
- Bug#305142: CAN-2005-2214: insegure apt-setup
  - From: Martin Schulze <joey@infodrom.org>

Prev by Date: efi-reader_0.7_ia64.changes ACCEPTED
Next by Date: Processed: Re: Bug#305142: CAN-2005-2214: insegure apt-setup
Previous by thread: Processed: CAN-2005-2214: insegure apt-setup
Next by thread: Bug#305142: CAN-2005-2214: insegure apt-setup
Index(es):
- Date
- Thread