*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: apt apt and possibly other Ubuntu package managers capable of downloading packages are vulnerable to two kinds of attacks. 1. Replay attack, where an attacker, by operating a malicious mirror or by spoofing the address of a valid mirror, serves correctly signed but outdated packages lists. As new vulnerabilities are discovered and patched, the users who are using the malicious mirror won't be receiving any updates and will continue running vulnerable software. See http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html 2. Endless data attack, where an attacker serves very long files to a package manager that uses his malicious mirror. That might prevent the package manager from ever completing, leading to the same problem as described above. It might also consume all disk space preventing logging, mail delivery and other system services from running properly. See http://www.cs.arizona.edu/people/justin/packagemanagersecurity/otherattacks.html#endlessdata There is also an entry on Ubuntu and Debian in the FAQ at http://www.cs.arizona.edu/people/justin/packagemanagersecurity/faq.html ** Affects: apt (Ubuntu) Importance: Undecided Status: New ** Affects: aptitude (Ubuntu) Importance: Undecided Status: New ** Affects: synaptic (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public ** Also affects: aptitude (Ubuntu) Importance: Undecided Status: New ** Also affects: synaptic (Ubuntu) Importance: Undecided Status: New ** Description changed: Binary package hint: apt apt and possibly other Ubuntu package managers capable of downloading packages are vulnerable to two kinds of attacks. - 1. Replay attack, where an attacker, by operating a malicious mirror or by spoofing the address of a valid mirror, serves outdated packages lists which are correctly signed. As new vulnerabilities are discovered and patched, the users who are using the malicious mirror won't be receiving any updates and will continue running vulnerable software. + 1. Replay attack, where an attacker, by operating a malicious mirror or by spoofing the address of a valid mirror, serves correctly signed but outdated packages lists. As new vulnerabilities are discovered and patched, the users who are using the malicious mirror won't be receiving any updates and will continue running vulnerable software. See http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html - 2. Endless data attacks, where an attacker serves very long files to a package manager that uses his malicious mirror. That might prevent the package manager from ever completing, leading to the same problem as described above. That might also consume all disk space preventing logging, mail delivery and other system services from running properly. + 2. Endless data attack, where an attacker serves very long files to a package manager that uses his malicious mirror. That might prevent the package manager from ever completing, leading to the same problem as described above. It might also consume all disk space preventing logging, mail delivery and other system services from running properly. See http://www.cs.arizona.edu/people/justin/packagemanagersecurity/otherattacks.html#endlessdata There is also an entry on Ubuntu and Debian in the FAQ at http://www.cs.arizona.edu/people/justin/packagemanagersecurity/faq.html -- Package managers vulnerable to replay and endless data attacks https://bugs.launchpad.net/bugs/247445 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
