Package: apt-cacher-ng
Version: 0.7.18-1
Severity: important

Thanks for the good investigation. Sounds like something worth fixing ASAP.

* Gabriel de Perthuis [Sat, Oct 19 2013, 07:24:52PM]:
> Hello,
> If I enable pipelining from apt:
> 
> Acquire::http { Pipeline-Depth "200"; }
> 
> without enabling it in acng.conf,
> the client causes the cache to become corrupt after a while.
> Being client-initiated, that's a denial of service.
> 
> The corruption looks like this:
> Failed to fetch
> http://fr.archive.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-data_2.38.1-0ubuntu1_all.deb
>  Size mismatch
> (for many files in a row).
> The package contents seem to be off by one:
> one package has the data of the next corrupted package, until the last
> one which has the data of a successfully downloaded package.
> 
> The backends_ubuntu.default file contains a single mirror:
> http://ftp.free.org/mirrors/archive.ubuntu.com/ubuntu/
> 
> The basic scan at http://localhost:3142/acng-report.html (without any of
> the "not recommended" options that do extra validation) fails to detect
> the corruption.  The header files acng keeps are consistent with the
> file sizes, but both are mismatched wrt the size in the package index.
> 
> This is acng 0.7.18-1 (latest release).
> 
> By the way, a public git or similar repository would be appreciated.
> I would try to use dgit but it's only available to debian developers.
> 
> _______________________________________________
> Apt-cacher-ng-users mailing list
> [email protected]
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/apt-cacher-ng-users
> 


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to