> It allows for attacking a repository via MITM attacks, circumventing
the signature of the InRelease file.
> ("deb http://192.168.0.2:1337/debian/ jessie-updates main" or so).
[..] This simulates a MITM attack or compromised mirror.
That sounds like it matters, where that InRelease file comes from,
right? When I look into my /etc/apt/sources.list, I only see deb/dev-src
http://<tld>.archive.ubuntu.com/... entries.
I think it would be much better, if Canonical servers would require TLS
1.x encryption (STS preferred) and thusly identify themselves with a
proper cert, so machines/users can make sure (nation-state actors not
taken into account) who they're talking to.
I think that would definitely make MITM and MOTS attacks more difficult.
I'm aware of the signatures, i.e. present package security, though.
Nonetheless, they do not seem to address the problem of transport
security.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1647467
Title:
InRelease file splitter treats getline() errors as EOF
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
