On 01/22/2019 09:51 PM, Marek Marczykowski-Górecki wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Tue, Jan 22, 2019 at 09:44:31PM -0500, Chris Laprise wrote:
On 01/22/2019 08:49 PM, unman wrote:
On Tue, Jan 22, 2019 at 12:57:37PM -0500, Chris Laprise wrote:
On 01/22/2019 12:03 PM, Marek Marczykowski-Górecki wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Tue, Jan 22, 2019 at 08:03:01AM -0800, Brendan Hoar wrote:
https://justi.cz/security/2019/01/22/apt-rce.html
A patch is out to cover this vulnerability, but I'm of the opinion that it may
be best to move the qubes-update-proxy worker VMs to a disposable VM model
after reading up on this one.
Granted, at first glance it appears that the use of the qubes-update-proxy
certainly helps, but using disposable VMs might provide an extra layer of
protection.
Updates proxy unfortunately does not help with this issue, but also is
not affected by it (at least not directly). It is only a http proxy, which
does not interpret content it receive, only pass it down to the VM that
requested it. Specifically, if remote server would send malicious
Location: header, it will be forwarded back to apt. While in theory that
proxy could perform some extra filtering on the response, it isn't used
for that right now. I don't think tinyproxy supports anything like this
(but we could change it to a different http proxy implementation).
The proxy appears to be 'affected' in the sense that Debian's temporary
update instructions from their security bulletin do not work in the Qubes
template.
So we are missing a straightforward resolution that Qubes users can follow.
Can you explain this? As far as I can see, the temporary update
instruction *do* work in a template.
What makes you think they don't?
With normal update proxy settings (no cache), this happens:
user@d9:~$ sudo apt -o Acquire::http::AllowRedirect=false update
Ign:1 http://security.debian.org stretch/updates InRelease
Hit:2 http://deb.qubes-os.org/r4.0/vm stretch InRelease
Ign:3 http://deb.debian.org/debian stretch InRelease
Err:4 http://deb.debian.org/debian stretch Release
302 Found
Err:5 http://security.debian.org stretch/updates Release
302 Found
Reading package lists... Done
E: The repository 'http://deb.debian.org/debian stretch Release' does no longer
have a Release file.
N: Updating from such a repository can't be done securely, and is therefore
disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration
details.
E: The repository 'http://security.debian.org stretch/updates Release' does no
longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore
disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration
details.
Did I miss something?
The second part of the instruction in the DSA:
This is known to break some proxies when used against
security.debian.org. If that happens, people can switch their security
APT source to use:
deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main
Hmmm. I didn't have security.debian.org enabled in the first place (IIRC
disabled is the default) so at first I dismissed that advice. Then I
tried adding their source line anyway and got the same warnings.
I didn't realize, as Ilpo suggested, that I should comment-out the other
sources temporarily. That did the trick.
Anyway, a progress on automated fix:
https://github.com/QubesOS/qubes-issues/issues/4752
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/46d6c7df-2529-f62f-5b9f-7d1a2f93c686%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
