Hey Holger, On Wed, 2014-06-18 at 12:46 +0200, Holger Levsen wrote: > > It also doesn't seem to protect against downgrading attacks... (see my > > previous post about that). > one or two bug reports might be oh so more useful than posting on -devel. I will submit tickets for the ones I know (as soon as I find some time)... but that's just the reason why we have such security issues as I was talking about: There is no concentrated approach to fix these things. You say... "if you find such an issue,... report a bug" ... at best this means something between "the maintainer agrees and just fixes it" and "a lengthy discussion where the maintainer say oh not this is absolutely security overkill why should I do it" And even if it's fixed in the end, it's only fixed for that package, and I don't know all >40k packages of Debian by hard and cannot report a ticket for all packages where it could be an issue. And even if, two weeks later we'll have another package which does the same. That's why I've said already before, that it's more or less useless if we approach one or all of the issues that were now mentioned in this thread by just some concrete coding work > and then for each update you need to update the launcher package - thats an > aweful lot of work for little / no gain You have a disturbing view on security apparently... o.O If it's "little /no gain", that an attacker e.g. in your university network or WiFi can't fool you into installing old e.g. flash-plugin, which can be easily used for at least a normal user exploit (which then usually means root exploit as well).... then I don't know... > (and how do you handle downgrade > attacks here?) As mentioned previously: When the maintainer of such packages keeps his head up and looks for new versions/updates, he'll make a new package with the new hardcoded hash... this prevents a downgrade attack, since an attacker cannot present you anymore an old version which would still verify. Cheers, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature