Re: holes in secure apt

To: Christoph Anton Mitterer <calestyo@scientia.net>
Cc: 749795@bugs.debian.org, debian-devel@lists.debian.org, team@security.debian.org
Subject: Re: holes in secure apt
From: Joey Hess <joeyh@debian.org>
Date: Thu, 12 Jun 2014 00:07:38 -0400
Message-id: <[🔎] 20140612040738.GA20494@kitenet.net>
Mail-followup-to: Christoph Anton Mitterer <calestyo@scientia.net>, 749795@bugs.debian.org, debian-devel@lists.debian.org, team@security.debian.org
In-reply-to: <[🔎] 1402527988.4739.34.camel@heisenberg.scientia.net>
References: <[🔎] 1402527988.4739.34.camel@heisenberg.scientia.net>

Christoph Anton Mitterer wrote:
> reopen 749795
> I'm reopening this for now, even if the issue is solved from a technical
> point of view (see below why).

AAICS, #749795 talked about bringing this to the security team's
attention, but they never seem to have been CCed.

So the security team may not be aware that a security hole in apt was
recently fixed, that caused apt-get source to not give any indication
when the Release file was lacking a signature.

Whether it's closed in unstable or not, this bug is open still in
stable, and needs to get a CVE assigned, and a DSA issued.

-- 
see shy jo

Reply to:

Follow-Ups:
- Re: holes in secure apt
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

References:
- holes in secure apt
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Re: use of RDRAND in $random_library
Next by Date: Re: use of RDRAND in $random_library
Previous by thread: holes in secure apt
Next by thread: Re: holes in secure apt
Index(es):
- Date
- Thread