On 01/22/2019 12:03 PM, Marek Marczykowski-Górecki wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Tue, Jan 22, 2019 at 08:03:01AM -0800, Brendan Hoar wrote:
https://justi.cz/security/2019/01/22/apt-rce.html
A patch is out to cover this vulnerability, but I'm of the opinion that it may
be best to move the qubes-update-proxy worker VMs to a disposable VM model
after reading up on this one.
Granted, at first glance it appears that the use of the qubes-update-proxy
certainly helps, but using disposable VMs might provide an extra layer of
protection.
Updates proxy unfortunately does not help with this issue, but also is
not affected by it (at least not directly). It is only a http proxy, which
does not interpret content it receive, only pass it down to the VM that
requested it. Specifically, if remote server would send malicious
Location: header, it will be forwarded back to apt. While in theory that
proxy could perform some extra filtering on the response, it isn't used
for that right now. I don't think tinyproxy supports anything like this
(but we could change it to a different http proxy implementation).
The proxy appears to be 'affected' in the sense that Debian's temporary
update instructions from their security bulletin do not work in the
Qubes template.
So we are missing a straightforward resolution that Qubes users can follow.
--
Chris Laprise, [email protected]
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/f750330b-7fc8-e6c9-3c3e-1ae9f828520a%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
