Bug#499897: marked as done (preventing replay attacks against the security archive)

To: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
Subject: Bug#499897: marked as done (preventing replay attacks against the security archive)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Fri, 16 Jan 2009 15:12:08 +0000
Message-id: <[🔎] handler.499897.D499897.123211845213475.ackdone@bugs.debian.org>
References: <4970A1CB.8040705@gmail.com> <20080923131508.GB15136@anguilla.noreply.org>

Your message dated Fri, 16 Jan 2009 17:03:39 +0200
with message-id <4970A1CB.8040705@gmail.com>
and subject line closing #499897
has caused the Debian Bug report #499897,
regarding preventing replay attacks against the security archive
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
499897: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499897
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: preventing replay attacks against the security archive
From: Peter Palfrader <weasel@debian.org>
Date: Tue, 23 Sep 2008 15:15:08 +0200
Message-id: <20080923131508.GB15136@anguilla.noreply.org>

Package: ftp.debian.org, apt

Hi,

In RT#744[1] an attack was brought up wherein an adversary causes the
vicitim to use an outdated copy of the security mirror, thereby
preventing the victim from getting security updates.

The attack is not new, but Debian still has very little to offer for
preventing this kind of attack, or at least making it harder.

One proposed solution is to optionally add a "Valid-Until" field to
Release files on at least the security archive, tho it might make sense
for unstable etc also.

Apt should then be changed to reject Release files that have expired,
and probably also Release files from the future.

Cheers,
weasel

1. https://rt.debian.org/Ticket/Display.html?id=744
-- 
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

--- End Message ---

--- Begin Message ---

To: 499897-done@bugs.debian.org

Subject: closing #499897

From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>

Date: Fri, 16 Jan 2009 17:03:39 +0200

Message-id: <4970A1CB.8040705@gmail.com>
Version: 0.7.21~exp1

Fix of this bug is present in apt 0.7.21~exp1.

-- 
Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com
Ukrainian C++ Developer, Debian Maintainer, APT contributor
Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---

Reply to:

Prev by Date: Bug#204818: marked as done (missing documentation on objects and attributes)
Next by Date: Bug#459810: marked as done (reorder uploading)
Previous by thread: Bug#204818: marked as done (missing documentation on objects and attributes)
Next by thread: Bug#459810: marked as done (reorder uploading)
Index(es):
- Date
- Thread