Source: anna Version: 1.57 Severity: grave Tags: security X-Debbugs-Cc: security@debian.org User: debian-release@lists.debian.org Usertags: bsp-2017-02-de-Berlin Control: block -1 by 856210 Hi, To date, anna still only implements MD5 verification of .udeb files, despite its formal deprecation as a digital signature algorithm by RFC6151 (2011) and recommendations of academic literature years prior. The files are typically downloaded via insecure HTTP transport, so the checksum verification is critical for the security of the installed system. stretch is expected to be a supported release until 2022. So I'm tentatively filing this bug as RC-severity. Further context and an overview of related bugs will be published at: https://wiki.debian.org/InstallerDebacle Thanks, Regards, -- Steven Chamberlain steven@pyro.eu.org
Attachment:
signature.asc
Description: Digital signature