-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steinar H. Gunderson wrote: >> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html >> >> What are people's thoughts on this? > > It's been known for quite a while. (I asked one of the guys publishing it, > and he was fully aware of that, but felt it was still important to bring > light to it.)
I'm the researcher that Steinar exchanged emails with. I just wanted to clarify this a bit as I believe he misunderstood something I said the other week. -- Sorry for any confusion, Steinar. These types of attacks, replay attacks[1] and endless data attacks[2], were well-known in general, but not with respect to APT or other package managers being vulnerable to them. We by no means are claiming to have discovered replay attacks, nor are we aware of previous widespread disclosure that package managers are vulnerable to these attacks. A big thank you to the various Debian security people who have helped answer questions and verify information for us recently. I believe most of the issues we disclosed are in discussion and will be addressed. [1] http://en.wikipedia.org/wiki/Replay_attack [2] http://insecure.org/stf/wietse_murphy.html - -- Justin Samuel https://www.cs.arizona.edu/~jsamuel/ gpg: 0xDDF1F3EE [66EF 84E2 F184 B140 712B 55A7 2B96 AB8F DDF1 F3EE] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIiUXsK5arj93x8+4RApbRAKCrdycZYMjKIVb8F1KLWh/mSoSL/wCgsVba +TqRksohzfEUEUL9Tiy8wn0= =Y0nc -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]