[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#788634: debian-installer: Accepting a preseed URL from DHCP allows attacker to hijack installation

(no need to CC me or debian-boot to answers as bug report answers
already go to debian-boot)

Quoting Aliz 'Randomdude' (randomdude@gmail.com):

> +Template: preseed/accept_preseed_from_DHCP
> +Type: boolean
> +Default: false
> +Description: Should we accept a preseed URL from a DHCP server?
> + Your DHCP server has provided extra commands or customisations to
> + debian-installer. It is possible that these commands were sent by
> + your network administrator; however, it is impossible to verify
> + this, or to ensure they have not been altered by an attacker who
> + already has access to your local network.

This patch shouldn't be committed as is to the git repository. It
needs rewording in the debconf template, to avoid a few style
inconsistencies with the writing style of other D-I templates:

- drop the use of first person ("we")
- drop the use of "your"

The template is also not marked for translation ("_Description"
instead of "Description") even though it's clearly worded to be

Attachment: signature.asc
Description: Digital signature

Reply to: