Package: libgeoip1 Version: 1.4.6.dfsg-12 Severity: normal Hi,
The example GeoIP database update scripts, located at /usr/share/doc/libgeoip1/examples/*.sh update the binary GeoIP databases from a potentially unsafe source, without validating the downloaded content, making it vulnerable at least to DNS spoofing, and probably some more related attacks. I marked this bug as normal, as the default behavior of the package is not to use these scripts, but the fact that they exist in the package will cause people to use them and thus weaken the security of their machines. See related bug in another package that also downloads content from the internet: http://bugs.debian.org/545241 As GeoIP is an important service, maybe we we should offer debian built updates, which are built from source, just like the GeoIP.dat that is provided with the package upon installation, or maybe find some other secure solution. Thanks, Tom Feiner -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.28-15-generic (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libgeoip1 depends on: ii libc6 2.9-26 GNU C Library: Shared libraries ii zlib1g 1:1.2.3.3.dfsg-15 compression library - runtime Versions of packages libgeoip1 recommends: ii geoip-database 1.4.6.dfsg-12 IP lookup command line tools that Versions of packages libgeoip1 suggests: ii geoip-bin 1.4.6.dfsg-12 IP lookup command line tools that -- no debconf information
signature.asc
Description: OpenPGP digital signature
