-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package: win32-loader Version: 0.6.0~pre3 Severity: critical Tags: security Justification: root security hole
The default boot option used by this package contains the following: preseed/url=http://goodbye-microsoft.com/runtime/preseed.cfg As seen when inspecting the document available at this URL this boot option is used to run a given command by the time of the installation of Debian GNU/Linux. The command to be run (as root) is retrieved from the document available at the given URL. If an attcker is able to hijack or otherwise influence the DNS server used when Debian GNU/Linux is installed using win32-loader, she may be able to run any command that is available on the system to be installed as root by redirecting requests to a different web server which provides a given arbitrary command at the same URL. On a side note, a default setting making users take part in a statistic analysis and gathering users' requests in a single location can be considered a privacy risk or issue. (This is the same for suggesting to install Firefox with the Google toolbar but that's a complete different story.) I'm looking forward to see this software mature (even further). Moritz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG6aTmn6GkvSd/BgwRCk7RAJ0etU8gzz8Pg68WpPFiEzz39XkrEACfSm9Q GNLRj5k8J4PDtuP+vttJ/hg= =0zuX -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]