:: Re: [DNG] [corsac@debian.org: [SECU…
Top Page
Delete this message
Reply to this message
Author: KatolaZ
Date:  
To: DNG
Subject: Re: [DNG] [corsac@debian.org: [SECURITY] [DSA 4371-1] apt security update]
On Thu, Jan 24, 2019 at 12:28:35AM +0100, Florian Zieboll wrote:
> Am 23. Januar 2019 23:54:10 MEZ schrieb KatolaZ <katolaz@???>:
>
> > No Florian, there is no "not-redirecting" repository in Devuan. Any
> > Devuan repo will redirect to the corresponding Debian repo for all the
> > packages that have not been forked by Debian, so you can't set
> > AllowRedirect to false.
> >
> > The safest way is to manually download apt from the Debian pool, as
> > explained in the email I forwarded. Or, if you trust Devuan, to use
> > pkgmaster.devuan.org in your sources.list (that one is the master
> > Devuan repo, and is on a machine to which only a reduced number of
> > core developers have access), do the update, and then put back
> > deb.devuan.org.
> >
> > HTH
> >
> > KatolaZ
>
> Hallo Katolaz,
>
> thank you for the quick clarification, I got it and was just about to write a follow up mail. Do IUC, that without tls it is still possible to mount a MITM?
>


Dear Florian,

the presence of TLS won't help a bit to avoid the apt bug we are
referring to. First because the bug is in the way the "Location:"
header is parsed, which has nothing to do with the fact that you do or
do not redirect to an HTTPS URL. Second, because the vulnerability is
not about a MITM attack, rather a remote exploit.

No MITM attack to the Debian/Devuan repo can be easily mounted, since
packages are checksummed, and all the checksums are signed with the
repository key (it's just a tiny bit more convoluted than that, but
still). So if any package is out of order (i.e., it presents a
checksum that offends the signed one), apt will immediately discover a
mismatch with the signed and verified material, will refuse to
continue, and will exit *loudly* (i.e., with an ERROR)OB.

HTTPS won't add a single bit of security to a Debian/Devuan repo. It
will exclusively avoid an external actor to see which packages are
actually requested and downloaded by the client.

My2Cents

KatolaZ

-- 
[ ~.,_  Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab  ]  
[     "+.  katolaz [at] freaknet.org --- katolaz [at] yahoo.it  ]
[       @)   http://kalos.mine.nu ---  Devuan GNU + Linux User  ]
[     @@)  http://maths.qmul.ac.uk/~vnicosia --  GPG: 0B5F062F  ] 
[ (@@@)  Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ  ]