Bug#442180: d-i preseed method allows for remote cmd exec. in combination with DNS hijacking
-----BEGIN PGP SIGNED MESSAGE-----
Justification: root security hole
The default boot option used by this package contains the following:
As seen when inspecting the document available at this URL this boot
option is used to run a given command by the time of the installation
of Debian GNU/Linux. The command to be run (as root) is retrieved from
the document available at the given URL.
If an attcker is able to hijack or otherwise influence the DNS server
used when Debian GNU/Linux is installed using win32-loader, she may be
able to run any command that is available on the system to be installed
as root by redirecting requests to a different web server which provides
a given arbitrary command at the same URL.
On a side note, a default setting making users take part in a statistic
analysis and gathering users' requests in a single location can be
considered a privacy risk or issue. (This is the same for suggesting to
install Firefox with the Google toolbar but that's a complete different
I'm looking forward to see this software mature (even further).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----