Re: apt-get may accept inconsistent data

To: Stefan Tichy <dlist@pi4tel.de>
Cc: debian-security@lists.debian.org
Subject: Re: apt-get may accept inconsistent data
From: Goswin von Brederlow <goswin-v-b@web.de>
Date: Mon, 05 May 2008 01:03:33 +0200
Message-id: <[🔎] 87abj5k6yi.fsf@frosties.localdomain>
In-reply-to: <[🔎] 20080504175821.GC12273@phi.pq.pi4tel.de> (Stefan Tichy's message of "Sun, 4 May 2008 19:58:21 +0200")
References: <[🔎] 20080503160045.GA10480@phi.pq.pi4tel.de> <[🔎] 87k5ib2ldv.fsf@frosties.localdomain> <[🔎] 20080504124759.GB12273@phi.pq.pi4tel.de> <[🔎] 87ej8ihv38.fsf@frosties.localdomain> <[🔎] 20080504175821.GC12273@phi.pq.pi4tel.de>

Stefan Tichy <dlist@pi4tel.de> writes:

> On Sun, May 04, 2008 at 06:50:35PM +0200, Goswin von Brederlow wrote:
>> Does the file actually differ?
>
> security.debian.org_dists_etch_updates_main_binary-i386_Packages
>
> Yes, it has been modified.

I ment what Release file. Because the etch security one does have the
md5sums of Packages in it.

>> Could you strace apt-get and see what the http method sends and
>> recieves from squid and apt-get?
>
> tcpdump and wireshark did help.
>
>
> apt-get sends a http GET request for Packages.bz2. Part of this
> request is this information:
>
>   Cache-Control: max-age=0  If-Modified-Since: Sun, 27 Apr 2008 09:15:01 GMT
>
>
> Squid response:
>
>   HTTP/1.0 304 Not Modified  Date: Sun, 04 May 2008 16:34:28
> 	GMT  Server Apache/2.2.3 ( Debian ) .... Cache: HIT from
> 	servername  ... Proxy-Connection: close
>
> The proxy has the current version (2008-05-02) in the cache.
>
>
> Squid 3.0.PRE5-5 seems to be reponsible for this problem, but
> IMHO apt-get should be able to recognize it.

So squid is to blame for apt not getting the new one.

But you are right. There is something wrong here that is not squids
fault:

Apt-get should not even send an "If-Modified" query imho. After
fetching the Release file is already knows with near certainty if the
local file is current or not. It should check the Checksums of the
local file and then either keep it or fetch it. Asking
If-Modified-Since can only lead to triggering a bug like the squid
one.

MfG
        Goswin

Reply to:

Follow-Ups:
- Re: apt-get may accept inconsistent data
  - From: Bernd Eckenfels <ecki@lina.inka.de>
- Re: apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>
- Re: apt-get may accept inconsistent data
  - From: "Cameron Dale" <camrdale@gmail.com>

References:
- apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>

Prev by Date: Re: apt-get may accept inconsistent data
Next by Date: Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities
Previous by thread: Re: apt-get may accept inconsistent data
Next by thread: Re: apt-get may accept inconsistent data
Index(es):
- Date
- Thread