Control: severity -1 critical Raising the severity of this, considering I am almost completely done with building the patch for it, I'd really like to see this get into Jessie, and considering that it allows complete compromise of a live image and any installations from it, unless the user actually knows to deploy a work around (which is not discussed at all in documentation and perfectly easy therefore for a user to just assume it is just secure to use with remote archives). Also contacting the security team to inquire about a CVE being issued, for formalities sake.
Worth noting for the record, since this isn't documented anywhere: - The only work around to avoid compromise would be to create and use a local archive instead of a remote one, separately taking steps to ensure integrity of the local archive before use. - Even if you do this, if you opt to use the daily edition of the installer image, this is downloaded directly from a debian server, exposing you to compromise. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
