-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Feiner schrieb: > Package: libgeoip1 > Version: 1.4.6.dfsg-12 > Severity: normal > > Hi, > > The example GeoIP database update scripts, located at > /usr/share/doc/libgeoip1/examples/*.sh update the binary GeoIP databases > from a potentially unsafe source, without validating the downloaded > content, making it vulnerable at least to DNS spoofing, and probably > some more related attacks. > > I marked this bug as normal, as the default behavior of the package is > not to use these scripts, but the fact that they exist in the package > will cause people to use them and thus weaken the security of their > machines. > > See related bug in another package that also downloads content from the > internet: http://bugs.debian.org/545241 > > As GeoIP is an important service, maybe we we should offer debian built > updates, which are built from source, just like the GeoIP.dat that is > provided with the package upon installation, or maybe find some other > secure solution.
Hello, I realy do not understand how checksums will help here. Case 1: Attacker injects DNS, the script will download the database AND the checksums from the insecure location and the attacker isn't so stupid and also corrects the checksums to match with his mal. geoip database. Case 2: Your secure location gets hacked. Case 3: Your location does nothave to be secure, just the nameserver of the victim uses. So I don't think that there is a good solution for it, or is there? - -- /* Mit freundlichem Gruß / With kind regards, Patrick Matthäi GNU/Linux Debian Developer E-Mail: pmatth...@debian.org patr...@linux-dev.org Comment: Always if we think we are right, we were maybe wrong. */ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkqxFUAACgkQ2XA5inpabMe1lgCdFShCduTlMhCFe1n0f3KxMisz tx8AoKaifoSNrRCjnB8UcPpM3OIH7Qtx =4j0t -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org