Bug#863317: apt: susceptible to replay attacks

On Tue, May 30, 2017 at 01:29:33AM +0200, Jakub Wilk wrote: > * David Kalnischkies , 2017-05-28, 10:35: > > > > Unfortunately, this protection is ineffective. All the attacker > > > > needs to do to hide security updates is to replace all the files > > > > from

Bug#863317: apt: susceptible to replay attacks

* David Kalnischkies , 2017-05-28, 10:35: Unfortunately, this protection is ineffective. All the attacker needs to do to hide security updates is to replace all the files from http://security.debian.org/dists/$DIST/updates/ with the ones from

Bug#863317: apt: susceptible to replay attacks

On Thu, May 25, 2017 at 02:10:11PM +0200, Julian Andres Klode wrote: > On Thu, May 25, 2017 at 01:30:13PM +0200, Jakub Wilk wrote: > > Unfortunately, this protection is ineffective. All the attacker needs to do > > to hide security updates is to replace all the files from > >

Bug#863317: apt: susceptible to replay attacks

On Thu, May 25, 2017 at 01:30:13PM +0200, Jakub Wilk wrote: > Package: apt > Version: 1.0.9.8.4 > Tags: security > > Nearly a decade ago, Valid-Until fields were added to Release files (bug > #499897). The primary motivation for this was to protect from a > man-in-the-middle adversary from

Bug#863317: apt: susceptible to replay attacks

Package: apt Version: 1.0.9.8.4 Tags: security Nearly a decade ago, Valid-Until fields were added to Release files (bug #499897). The primary motivation for this was to protect from a man-in-the-middle adversary from serving an outdated copy of the security mirror. Unfortunately, this