Your message dated Fri, 14 Aug 2015 14:55:07 +0200 with message-id <20150814125507.GA17791@crossbow> and subject line Re: Bug#763399: Hardening dpkg/apt has caused the Debian Bug report #763399, regarding Hardening dpkg/apt to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 763399: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763399 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: Hardening dpkg/apt
- From: bancfc@openmailbox.org
- Date: Mon, 29 Sep 2014 21:24:35 +0000
- Message-id: <75468a8114e97b35384973c4e93db13e@openmailbox.org>
Package: apt Version: allSometimes apt/dpkg can contain vulnerable, remotely exploitable bugs which s a big risk when used over the untrusted internet. As it happens, anyone could have been in a position to run man-in-the-middle attacks with the latest security hole [CVE-2014-6273] in apt-get. What makes this bug cripling is that updating apt to fix it would have exposed it to what the fix was supposed to rpevent, so manually downloading the package out of band was the safest option this time.In order to drastically limit an attackers options I recommend creating a seccomp-bpf filter for apt and dpkg to limit what they can do should a weak function be remotely exploited. Other options include enabling any and all compile-time binary hardening such as PIE, RELRO, CANARY etc.Seccomp Resources:https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt (Kernel documentation for the feature)http://outflux.net/teach-seccomp/ ( A guide on writing a simple filter and using error checking. Note that seccomp supports whitelists which can make it easier, you simply allow only the bear minimum of safe syscalls needed to make curl function).
--- End Message ---
--- Begin Message ---
- To: 763399-done@bugs.debian.org
- Subject: Re: Bug#763399: Hardening dpkg/apt
- From: David Kalnischkies <david@kalnischkies.de>
- Date: Fri, 14 Aug 2015 14:55:07 +0200
- Message-id: <20150814125507.GA17791@crossbow>
- In-reply-to: <20141001124456.GB8178@bod>
- References: <75468a8114e97b35384973c4e93db13e@openmailbox.org> <20141001124456.GB8178@bod>
Version: 1.1~exp1 Hi, On Wed, Oct 01, 2014 at 02:44:56PM +0200, Michael Vogt wrote: > All hardening except for PIE and ld -z are currently enabled, these > two will be enabled with the next upload (probably in experimental > first). Done. > We do want to go further and protect the downloaders but there is some > more work involved here, we need to move the proxy auto-detection out > of the acquire method first but once that is done, we can further lock > down the downloader code. Kinda done (as this is open ended). Most methods switch now to our new unprivileged user _apt before talking to the network, which helps in preventing breaking out of them and getting root rights. It also prevents them from reading/writing arbitrary files… > Help with this effort is of course very welcome :) ! … but there is always more we can and should do. Just that an open ended bugreport isn't going to help in this. I am therefore closing this bugreport and encourage instead to discuss specific ideas and issues on the list and/or in new bugreports – preferable with a patch :) Best regards David KalnischkiesAttachment: signature.asc
Description: Digital signature
--- End Message ---