Your message dated Fri, 16 Jan 2009 17:03:39 +0200 with message-id <4970A1CB.8040705@gmail.com> and subject line closing #499897 has caused the Debian Bug report #499897, regarding preventing replay attacks against the security archive to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 499897: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499897 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: preventing replay attacks against the security archive
- From: Peter Palfrader <weasel@debian.org>
- Date: Tue, 23 Sep 2008 15:15:08 +0200
- Message-id: <20080923131508.GB15136@anguilla.noreply.org>
Package: ftp.debian.org, apt Hi, In RT#744[1] an attack was brought up wherein an adversary causes the vicitim to use an outdated copy of the security mirror, thereby preventing the victim from getting security updates. The attack is not new, but Debian still has very little to offer for preventing this kind of attack, or at least making it harder. One proposed solution is to optionally add a "Valid-Until" field to Release files on at least the security archive, tho it might make sense for unstable etc also. Apt should then be changed to reject Release files that have expired, and probably also Release files from the future. Cheers, weasel 1. https://rt.debian.org/Ticket/Display.html?id=744 -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `- http://www.debian.org/
--- End Message ---
--- Begin Message ---
- To: 499897-done@bugs.debian.org
- Subject: closing #499897
- From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
- Date: Fri, 16 Jan 2009 17:03:39 +0200
- Message-id: <4970A1CB.8040705@gmail.com>
Version: 0.7.21~exp1 Fix of this bug is present in apt 0.7.21~exp1. -- Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com Ukrainian C++ Developer, Debian Maintainer, APT contributorAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---