On Tue, Jan 22, 2019 at 10:06:01PM -0500, Chris Laprise wrote: > On 01/22/2019 09:51 PM, Marek Marczykowski-Górecki wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > On Tue, Jan 22, 2019 at 09:44:31PM -0500, Chris Laprise wrote: > > > On 01/22/2019 08:49 PM, unman wrote: > > > > On Tue, Jan 22, 2019 at 12:57:37PM -0500, Chris Laprise wrote: > > > > > On 01/22/2019 12:03 PM, Marek Marczykowski-Górecki wrote: > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > > > Hash: SHA256 > > > > > > > > > > > > On Tue, Jan 22, 2019 at 08:03:01AM -0800, Brendan Hoar wrote: > > > > > > > https://justi.cz/security/2019/01/22/apt-rce.html > > > > > > > > > > > > > > A patch is out to cover this vulnerability, but I'm of the > > > > > > > opinion that it may be best to move the qubes-update-proxy worker > > > > > > > VMs to a disposable VM model after reading up on this one. > > > > > > > > > > > > > > Granted, at first glance it appears that the use of the > > > > > > > qubes-update-proxy certainly helps, but using disposable VMs > > > > > > > might provide an extra layer of protection. > > > > > > > > > > > > Updates proxy unfortunately does not help with this issue, but also > > > > > > is > > > > > > not affected by it (at least not directly). It is only a http > > > > > > proxy, which > > > > > > does not interpret content it receive, only pass it down to the VM > > > > > > that > > > > > > requested it. Specifically, if remote server would send malicious > > > > > > Location: header, it will be forwarded back to apt. While in theory > > > > > > that > > > > > > proxy could perform some extra filtering on the response, it isn't > > > > > > used > > > > > > for that right now. I don't think tinyproxy supports anything like > > > > > > this > > > > > > (but we could change it to a different http proxy implementation). > > > > > > > > > > The proxy appears to be 'affected' in the sense that Debian's > > > > > temporary > > > > > update instructions from their security bulletin do not work in the > > > > > Qubes > > > > > template. > > > > > > > > > > So we are missing a straightforward resolution that Qubes users can > > > > > follow. > > > > > > > > > > > > > Can you explain this? As far as I can see, the temporary update > > > > instruction *do* work in a template. > > > > What makes you think they don't? > > > > > > > > > With normal update proxy settings (no cache), this happens: > > > > > > > user@d9:~$ sudo apt -o Acquire::http::AllowRedirect=false update > > > > Ign:1 http://security.debian.org stretch/updates InRelease > > > > Hit:2 http://deb.qubes-os.org/r4.0/vm stretch InRelease > > > > Ign:3 http://deb.debian.org/debian stretch InRelease > > > > Err:4 http://deb.debian.org/debian stretch Release > > > > 302 Found > > > > Err:5 http://security.debian.org stretch/updates Release > > > > 302 Found > > > > Reading package lists... Done > > > > E: The repository 'http://deb.debian.org/debian stretch Release' does > > > > no longer have a Release file. > > > > N: Updating from such a repository can't be done securely, and is > > > > therefore disabled by default. > > > > N: See apt-secure(8) manpage for repository creation and user > > > > configuration details. > > > > E: The repository 'http://security.debian.org stretch/updates Release' > > > > does no longer have a Release file. > > > > N: Updating from such a repository can't be done securely, and is > > > > therefore disabled by default. > > > > N: See apt-secure(8) manpage for repository creation and user > > > > configuration details. > > > > > > Did I miss something? > > > > The second part of the instruction in the DSA: > > > > This is known to break some proxies when used against > > security.debian.org. If that happens, people can switch their security > > APT source to use: > > > > deb http://cdn-fastly.deb.debian.org/debian-security stable/updates > > main > > Hmmm. I didn't have security.debian.org enabled in the first place (IIRC > disabled is the default) so at first I dismissed that advice. Then I tried > adding their source line anyway and got the same warnings. > > I didn't realize, as Ilpo suggested, that I should comment-out the other > sources temporarily. That did the trick. >
deb.debian.org, which you are using, isnt a repository. It's a placeholder with SRV records pointing to repositories. If the SRV doesn't work, then it provides a redirect function, which you are obviously blocking, (as instructed). The instructions aren't all that clear, since the problem will occur with any use of deb.debian.org, not just for security repos. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20190123140308.iafpk6bqxzuj2252%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
