On Mon, Jun 16, 2014 at 11:18:27AM +0200, Jakub Wilk wrote:
* Michael Vogt m...@debian.org, 2014-06-16, 09:35:
+ _error-Warning(_(The data from '%s' is not signed. All packages from
+ that repository can not be authenticated.),
s/can not/cannot/
Also, All with a
On Mon, Jun 16, 2014 at 02:58:28PM +0200, Christoph Anton Mitterer wrote:
On Mon, 2014-06-16 at 09:35 +0200, Michael Vogt wrote:
I think for the future we actually should not allow a apt-get update
of untrusted repos without --allow-unauthenticated or
[trusted=no]. But this will probably
On Fri, May 30, 2014 at 03:21:20PM +0200, Michael Vogt wrote:
[..]
Hmm. There is no warning suggesting that anything fishy is going on,
and the exit code indicates success. (Perhaps the Igns could raise
suspicion of an observant sysadmin. But who knows what Ign exactly
means? At least the
* Michael Vogt m...@debian.org, 2014-06-16, 09:35:
+ _error-Warning(_(The data from '%s' is not signed. All packages from
+ that repository can not be authenticated.),
s/can not/cannot/
Also, All with a negated verb sounds awkward to me (but that may be
due to my
On Mon, 2014-06-16 at 09:35 +0200, Michael Vogt wrote:
I think for the future we actually should not allow a apt-get update
of untrusted repos without --allow-unauthenticated or
[trusted=no]. But this will probably break some setups so we need to
be careful and not rush it.
And what about
Hi,
apt: no authentication checks for source packages
The Debian security team has assigned CVE-2014-0478 to this issue.
APT developers: we should fix this in wheezy. Are you able to provide an
update for wheezy for this issue?
As for squeeze, if it's not too much extra work it would be great
On Thu, Jun 12, 2014 at 11:44:20AM +0200, Thijs Kinkhorst wrote:
Hi,
apt: no authentication checks for source packages
The Debian security team has assigned CVE-2014-0478 to this issue.
APT developers: we should fix this in wheezy. Are you able to provide an
update for wheezy for this
On Thu, Jun 12, 2014 at 11:44:20AM +0200, Thijs Kinkhorst wrote:
apt: no authentication checks for source packages
The Debian security team has assigned CVE-2014-0478 to this issue.
APT developers: we should fix this in wheezy. Are you able to provide an
update for wheezy for this issue?
Hi Michael,
On Thu, June 12, 2014 13:52, Michael Vogt wrote:
On Thu, Jun 12, 2014 at 11:44:20AM +0200, Thijs Kinkhorst wrote:
apt: no authentication checks for source packages
The Debian security team has assigned CVE-2014-0478 to this issue.
APT developers: we should fix this in wheezy.
On Thu, Jun 12, 2014 at 11:44:20AM +0200, Thijs Kinkhorst wrote:
[..]
apt: no authentication checks for source packages
The Debian security team has assigned CVE-2014-0478 to this issue.
[..]
As for squeeze, if it's not too much extra work it would be great if an
update for squeeze was also
On Sat, May 31, 2014 at 12:07:48AM +0200, David Kalnischkies wrote:
On Fri, May 30, 2014 at 03:21:20PM +0200, Michael Vogt wrote:
From b7f501b5cc8583f61467f0c7a0282acbb88e4b29 Mon Sep 17 00:00:00 2001
From: Michael Vogt m...@debian.org
Date: Fri, 30 May 2014 14:47:56 +0200
Subject:
On Thu, May 29, 2014 at 11:04:35PM +0200, Jakub Wilk wrote:
Package: apt
Version: 1.0.3
Severity: grave
Tags: security
Thanks for your bugreport. You raise a important issue, but I agree
with David that its best if this goes through the security team for
coordination.
I've been
On Fri, May 30, 2014 at 03:21:20PM +0200, Michael Vogt wrote:
From b7f501b5cc8583f61467f0c7a0282acbb88e4b29 Mon Sep 17 00:00:00 2001
From: Michael Vogt m...@debian.org
Date: Fri, 30 May 2014 14:47:56 +0200
Subject: [PATCH] Show unauthenticated warning for source packages as well
This will
Package: apt
Version: 1.0.3
Severity: grave
Tags: security
I've been investigating how apt behaves when the repository doesn't
contain any Release signatures (possibly because they were stripped off
by a man-in-the-middle attacker).
This is what I found out:
| # cat /etc/apt/sources.list
|
On Thu, May 29, 2014 at 11:04:35PM +0200, Jakub Wilk wrote:
Package: apt
Version: 1.0.3
Severity: grave
Tags: security
(personally, this feels a bit high. Mostly as deb-src isn't even part of
many default configurations in which apt is found. And in those where
you find it, you probably
15 matches
Mail list logo
