Your message dated Thu, 29 Aug 2019 15:52:39 +0000
with message-id <[email protected]>
and subject line Bug#933185: fixed in fai 5.8.5
has caused the Debian Bug report #933185,
regarding fai-server: /etc/fai/apt/sources.list should not contain trusted=yes
to skip GPG verification
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
933185: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933185
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: fai-server
Version: 5.8.4
Severity: grave
Tags: security, buster
Dear Maintainer,
fai-server installs /etc/fai/apt/sources.list with the following entry
by default:
deb [trusted=yes] http://fai-project.org/download buster koeln
This is problematic, as the [trusted=yes] part will tell APT to
completely skip cryptographic verification of the repository when
creating the nfsroot. This is extremely bad because the repository is
accessed via unencrypted HTTP, which makes a man-in-the-middle attack
absolutely trivial. True, this only occurs if the NFSROOT is created
and/or updated, but at least updating with make-fai-nfsroot -k should
be a semi-regular thing on well-managed systems.
You should make sure that your APT signing key is added to the
NFSROOT so that APT may check it:
- Export your GPG signing key in binary (NOT -a!) format:
gpg --export 2BF8D9FE074BCDE4 > fai-project.gpg
- Create a directory /etc/fai/apt/trusted.gpg.d
- Copy the file to the appropriate directory
cp fai-project.gpg /etc/fai/apt/trusted.gpg.d/
- Remove the [trusted=yes] part of that line
I've tested this with a pristine FAI install on Debian 10 and during
fai-make-nfsroot the repository is correctly added to the NFSROOT and
the integrity of the signatures is properly checked.
For Debian 9 I don't think this is a critical issue (as the default
configuration does not include the repository, the line is commented
out entirely), but even suggestions in configuration files should
follow established security practices, so I would recommend also
removing the [trusted=yes] comment from the package in Debian 9 (and
also including the key there, or maybe just a comment on how to add
the key), so that inexperienced administrators may avoid the trap that
enabling this repository leads to a security issue.
Best regards,
Christian
-- System Information:
Debian Release: 10.0
APT prefers stable-debug
APT policy: (500, 'stable-debug'), (500, 'stable'), (100, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-5-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages fai-server depends on:
ii debootstrap 1.0.114
ii e2fsprogs 1.44.5-1
ii fai-client 5.8.4
ii xz-utils 5.2.4-1
Versions of packages fai-server recommends:
pn isc-dhcp-server <none>
pn libproc-daemon-perl <none>
pn nfs-kernel-server <none>
ii openbsd-inetd [inet-superserver] 0.20160825-4
ii openssh-client 1:7.9p1-10
ii openssh-server 1:7.9p1-10
pn tftpd-hpa | atftpd <none>
Versions of packages fai-server suggests:
ii binutils 2.31.1-16
pn debmirror <none>
pn fai-setup-storage <none>
pn grub2 <none>
pn perl-tk <none>
ii qemu-utils 1:3.1+dfsg-8~deb10u1
pn reprepro <none>
ii squashfs-tools 1:4.3-12
ii xorriso 1.5.0-1
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: fai
Source-Version: 5.8.5
We believe that the bug you reported is fixed in the latest version of
fai, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Lange <[email protected]> (supplier of updated fai package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 29 Aug 2019 17:08:49 +0200
Source: fai
Architecture: source
Version: 5.8.5
Distribution: unstable
Urgency: high
Maintainer: Thomas Lange <[email protected]>
Changed-By: Thomas Lange <[email protected]>
Closes: 926693 928981 929679 931451 933185
Changes:
fai (5.8.5) unstable; urgency=high
.
[ Thomas Lange ]
* fai-make-nfsroot, add conf/fai-project.gpg:
add key for fai-project.org repository, Closes: #933185
* fai-make-nfsroot: use long key ID
* subroutines: remove wait_for_jobs() and jobrunning(), prevent
undefined variable
umount /run/dev in target, Closes: #928981
* fai-mirror: allow packages without .deb suffix
* fai-chboot: better info messages
* fai-kvm: allow kvm options after --, Closes: #929679
* fai-cd: make first partition bootable, Closes: #926693
* Makefile: use sed instead of perl
* add fai-server.maintscript
* compat: use debhelper compat level 11
* rules: use dh instead of dh_ tools
* setup-storage: use internal variable name when in debug mode
* Commands.pm: always set boot flag for /boot/efi, Closes: #931451
* fai-cd.8: add option -V
* fai-guide.txt: fix a lot of small typos
* task_sysinfo: remove init.d call which does not exists any more
* fai-mk-network: detect default network device
* fai-guide.txt: update kernel version and some newer output examples
* grub.cfg.autodiscover: drop unused option
* check-cross-arch: add test if qemu static is needed in target
.
[ Donovan Keohane ]
* Commands.pm: fixes creating btrfs subvolumes
https://github.com/faiproject/fai/pull/81
.
[ mroelandts ]
* fai-cd: add option -V
Checksums-Sha1:
d7e939efd941cf97e48f816e9250304e6f73103f 1914 fai_5.8.5.dsc
99b63539cea0e817bc9c6f500df59ea743aa86dd 315156 fai_5.8.5.tar.xz
53632317c81d673fcf6aeee3dcf862ec3dba9435 12951 fai_5.8.5_amd64.buildinfo
Checksums-Sha256:
ee06a547c0ba8882ca1ff699beb92cc397b4cdea3695a61382f5b668989b5887 1914
fai_5.8.5.dsc
72e39d2d66f256212ae8a01c2cbaf2545205fd95f879495f65e5cd76ffed5c88 315156
fai_5.8.5.tar.xz
871b9e12e8d79e632b45a6dff06d3789fb4eb92e2a6da1ab710157d3a51f45a4 12951
fai_5.8.5_amd64.buildinfo
Files:
d1cd8407fa0a0bae8638f0bc13201b24 1914 admin optional fai_5.8.5.dsc
e1c04f70f2193f5bb7181a03c02b68bf 315156 admin optional fai_5.8.5.tar.xz
1dcf3c4ddd948558a6b0939f0c958885 12951 admin optional fai_5.8.5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEEsR7jJz9rLetSjJPaK/jZ/gdLzeQFAl1n7FoRHGxhbmdlQGRl
Ymlhbi5vcmcACgkQK/jZ/gdLzeQLkRAAnBcFIxaqlvqidMT4W6OQn3h66EpigXZf
15rrzTzqVVV1nBvLiB9eQ+GuVgrn+J+zLF8JM2LVGaou4y8L/ocwXkpv/VsF9zIG
VWKFUQfdDJGYF4X9BE9/xGM/oL63eacZohgZ7rpwQmR+e5uTUumMiIwCasXpHx+V
kY9t59Emvale3FXoWt1zRPVbTVzBCkvZKbVCUowP9es4gx21uuJhlBRZWXi80CgK
7zZoyuD/2v6rPNZkU21+tc2hp6Am4aIXmoh51RuF2SXGLbKen1JTRgmL4MpKsyaz
EIhURH+eX9yeGgPtnrZVP3/X0qFeK7h5HkG9gSC7OtA2xxHKzUkxWynU+wzEDcPa
0Pmw3D2PuXcIO+QmEybfUsc3Vox1dR+beIYvGv9N/2jSlsIYlLIN6OhC4ppDSDLR
jdxxW0Zm0Dr89c2L3LawcExnihcpb+3DSfvaheXMW9IbSJylo6ZY8O4g026PQQPs
RryE/FdMT8p2E/XTVbTeiUQF1GeS+znLgCyVnIP3Ss4Ga0fSW7aU3WX+hRpWPtgE
mY1gJ/036eI3cattiwYRbQJQxdMRz2N5WTzukXzN/NyepgTH5Z5MC0oudMOB3WZB
7c/C+MjAQeYllyklLHO4TP9IPQ5Q0zUj+tB7MRHDl2qXv6FXSAkOio74H9okUAxL
Ptt7MyBGI48=
=jXfB
-----END PGP SIGNATURE-----
--- End Message ---
