Your message dated Sun, 05 Mar 2017 11:48:41 +0000
with message-id <e1ckuex-0005lu...@fasolo.debian.org>
and subject line Bug#856211: fixed in anna 1.58
has caused the Debian Bug report #856211,
regarding anna: please implement SHA256 verification of .udeb files
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
856211: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856211
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: anna
Version: 1.57
Severity: grave
Tags: security
X-Debbugs-Cc: secur...@debian.org
User: debian-rele...@lists.debian.org
Usertags: bsp-2017-02-de-Berlin
Control: block -1 by 856210
Hi,
To date, anna still only implements MD5 verification of .udeb files,
despite its formal deprecation as a digital signature algorithm by
RFC6151 (2011) and recommendations of academic literature years prior.
The files are typically downloaded via insecure HTTP transport, so the
checksum verification is critical for the security of the installed
system. stretch is expected to be a supported release until 2022. So
I'm tentatively filing this bug as RC-severity.
Further context and an overview of related bugs will be published at:
https://wiki.debian.org/InstallerDebacle
Thanks,
Regards,
--
Steven Chamberlain
ste...@pyro.eu.org
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: anna
Source-Version: 1.58
We believe that the bug you reported is fixed in the latest version of
anna, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 856...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Blank <wa...@debian.org> (supplier of updated anna package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 05 Mar 2017 12:26:20 +0100
Source: anna
Binary: anna
Architecture: source
Version: 1.58
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Bastian Blank <wa...@debian.org>
Description:
anna - anna's not nearly apt, but for the Debian installer, it will do
(udeb)
Closes: 856211
Changes:
anna (1.58) unstable; urgency=medium
.
[ Bastian Blank ]
* Build-depend against new enough version of libdebian-installer4-dev.
.
[ Steven Chamberlain ]
* Use SHA256 for verification. (closes: #856211)
Checksums-Sha1:
c05e62195a4eda6f09edbd958550041af2ded22c 1318 anna_1.58.dsc
76d4cbe202faa4d426b773323e2c951874c03e6f 89468 anna_1.58.tar.xz
b25849dfcc3fdae496018d75125c1c7fa8cb959f 5034 anna_1.58_source.buildinfo
Checksums-Sha256:
34fa403bf6efd85f860334af2b61e14e9382b9cc556ea69e7f88553f64f1d83c 1318
anna_1.58.dsc
aa0e064ef0487fcc3b5adaac3e12d35df8149e7e0a6a7a5300e4064d782e98cc 89468
anna_1.58.tar.xz
e216b0c591fef37cdb5dd11534dc7cf8fd18797706a3f5fe520e01deac7c82aa 5034
anna_1.58_source.buildinfo
Files:
5636e687f1ef5671da967b9549eef47e 1318 debian-installer standard anna_1.58.dsc
d9711e8f89bb6e5c43fbb659aecf4076 89468 debian-installer standard
anna_1.58.tar.xz
561f0d9be43e570bc57ffbf9793418d5 5034 debian-installer standard
anna_1.58_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEER3HMN63jdS1rqjxLbZOIhYpp/lEFAli79h0ACgkQbZOIhYpp
/lHodAgAkHywc3nxxsJbzUPAFNoG50n9u0ouVFQpG/+n1cu6WskZX12nWEDtc2ec
7FehgOHBwuGWVIq3u8gn/fshWdXDPB2zW/lxMCKUUG5K1Drr7oIr7HY/dJu1CFuL
TmMU1Oc5TCxsrohksqQiCWStn1fFcWigkYbb7XTXWknzDrOZtig7+CU1pLRasQGd
KTOwgf+GgVAqTd4cYo5XJPPQZzDDpFC9hWHCk/Q8schNKil+Lm3dEKfcPQ5Mad9v
yenjPo7T9yOXoRg2Iy7kjOSv42OtZYuIVPsEbm0YJaYpTZpMw51CloVWC9FsWMBI
AB838NWB8LGMoypncGA1jY2TQeE85g==
=LOmw
-----END PGP SIGNATURE-----
--- End Message ---
