Re: Bug#499897: preventing replay attacks against the security archive
On Sun, Nov 23, 2008 at 11:24:14PM +0200, Eugene V. Lyubimkin wrote:
> Joerg Jaspert wrote:
> >>>> - have it expire in a period long enough so a new point release will
> >>>> have happened in the meantime, say half a year.
> >>> Probably still not acceptable for CD-Roms.
> >> I don't think that should be a problem - I don't believe CD-Roms are the
> >> target of this feature. APT already handles CD-Roms differently so it
> >> could exclude them from this check.
> >
> > Hello apt team, anyone working on supporting this? :)
> > (It's used in both, the normal and the security archive).
> >
> No one at present, IIRC.
>
> Should this be incorporated into apt in Lenny? It's not hard to
> apply the patch from Thomas, but it doesn't address feature that apt
> should not accept Release files without 'Valid-Until' entry after
> seeing it once earlier.
[..]
I merge the patch (with some small modifications) into the
debian-experimental bzr branch to work on the issue. I added the
following configuration item:
Have a "max-age" client side option in addition to the "valid-until"
field on the server side.
That makes it possible to have a (client side) apt configuration like:
apt::acquire::max-default-age::Debian-security "7";
(using the Label in the Release file for identification). This client
side configuration will only be used if no valid-until field is found
on the server.
It means that when the security archive that is presented does not
have it anymore there will still be a good default. So just presenting
a really old archive will not work (it protects against attacks when
there was never a valid security.debian.org, only a realy old one).
Thanks,
Michael
Reply to: