Source: libdebian-installer Version: 0.108 Severity: serious Tags: security X-Debbugs-Cc: security@debian.org User: debian-release@lists.debian.org Usertags: bsp-2017-02-de-Berlin Hi, The 'etch' release (2007) added to the Release file, a field for SHA256 sums to authenticate Packages files. But to date, libdebian-installer does not parse it, so anna (which fetches .udeb installer component) and cdebootstrap (which fetches .deb base system packages) can not yet verify the SHA256 sums. http://sources.debian.net/src/libdebian-installer/0.108/include/debian-installer/release.h/#L43 http://sources.debian.net/src/libdebian-installer/0.108/include/debian-installer/release.h/#L58 http://sources.debian.net/src/libdebian-installer/0.108/include/debian-installer/package.h/#L115 Further context and an overview of related bugs will be published at: https://wiki.debian.org/InstallerDebacle This bug is not itself RC, but it will be a blocking issue for RC bugs I'm about to file. I intend to submit a patch for this shortly. Thanks, Regards, -- Steven Chamberlain steven@pyro.eu.org
Attachment:
signature.asc
Description: Digital signature