[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes

On Sun, Jan 11, 2009 at 06:33:53PM +0100, Adeodato Simó wrote:
> * Eugene V. Lyubimkin [Mon, 05 Jan 2009 23:42:46 +0200]:
> > Hello release folks!
> Hello, Eugene. (SecTeam please see "Change #1" below.)
> > APT team has prepared two important changes in apt, please give us a
> > decision(s) whether are they appropriate for Lenny or not.
> We realize that apt has seen increased manpower only as of late, but we
> feel that introducing sensitive code changes into apt this late in the
> release cycle would not be very wise.
> However:
> > ---------------------------------------------------------
> > Change #1 aka "Valid-Until for preventing replay attacks"
> > ---------------------------------------------------------
> > Motivation of this change is bug #499897, "preventing replay attacks against the security
> > archive" [1]. Summary of change:
> > 1. Add the support for the Valid-Until header in the Release file.
> > 2. Add Acquire::Max-Default-Age configuration option that defaults to 7 days for
> > Debian-Security.
> > The result of change: APT will refuse to use too outdated Release file at the earliest
> > 'update' action after Release expiry. The possible attacker will not allowed to ship the
> > same outdated Release (so outdated Packages too) after the date in 'Valid-Until' entry in
> > Release file, preventing the attack. In case of absence of this field in Release file,
> > option "Acquire::Max-Default-Age::Debian-security" will be used. The default number of
> > days for this option, "7", is discussible, of course.
> We'd like to hear from the Security Team what they think of this feature
> as a candidate for Lenny. If they believe it's extremely important that
> we have it in place for Lenny, and they (or somebody delegated by them)
> could do a review of the code and test it, we'd be okay with including it.
> The final debian-installer upload is going to be soon, though, so we'd
> have to seek input from the Debian Installer team as well.
> And there is also the option of including it in the first point release,
> after a month or two of testing in unstable.

Since the replay attack isn't exactly grave, it could just as well be added
into 5.0.1 oder 5.0.2 once it has gotten some testing.


Reply to: