** Tags added: id-5d106c1d683546484e9cb04e
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/857472
Title:
net-update verifcation checking insecure
To manage notifications about this bug go
** Changed in: apt (Ubuntu)
Milestone: ubuntu-11.10 => None
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/857472
Title:
net-update verifcation checking insecure
To manage notifications
** Branch linked: lp:apt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/857472
Title:
net-update verifcation checking insecure
To manage notifications about this bug go to:
This bug was fixed in the package apt - 0.8.16~exp5ubuntu13
---
apt (0.8.16~exp5ubuntu13) oneiric; urgency=low
[ Adam Conrad ]
* On armel, call update-apt-xapian-index with '-u' to keep the CPU
and I/O usage low. We would do this on all arches, but there's a
regression
After discussing some improvements with Michael, I can't think of any issues
with r1935 right now.
sbeattie is looking at it also.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/857472
Title:
** Branch linked: lp:~mvo/apt/apt-key-master-keyring-fix2
** Changed in: apt (Ubuntu Oneiric)
Status: Confirmed = In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/857472
** Changed in: apt (Ubuntu Oneiric)
Milestone: None = ubuntu-11.10
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/857472
Title:
net-update verifcation checking insecure
To manage
I'm a little worried by the assumption here that adding the key size
check is sufficient. It's certainly an improvement, but key ID
collisions are clearly possible even without this - they're just more
work. The key ID isn't *that* long, and it is still many orders of
magnitude easier to
Hello Colin, thanks for your comment on this.
I'm not sure I quite follow the comment, the code is meant to check the
following:
for every key we got from the network, check if the same keyid is also in the
master-keyring
if that is the case - abort as this clearly indicates that
After discussion with mvo on IRC I think my objection was incorrect, so
I withdraw it.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/857472
Title:
net-update verifcation checking insecure
There is also another scenario we should test for. If we decide to add a
key to the downloaded keyring, an attacker could then add a duplicate
key id for the new key in the spoofed keyring. I'm not sure what gpg
would do in that scenario, which key would get parsed first, etc.
--
You received
Thats a very good point Marc. I get the feeling the other approach
(providing a signed version of the keyrigng or a signature file for it)
is actually more robust and we should go with that.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the
Well, we could do what Steve originally suggested: export each key from
the downloaded keyring one by one, validate it, and import it into a new
keyring.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
** Also affects: apt (Ubuntu Oneiric)
Importance: Critical
Status: Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/857472
Title:
net-update verifcation checking insecure
** Tags added: rls-mgr-o-tracking
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/857472
Title:
net-update verifcation checking insecure
To manage notifications about this bug go to:
I've made this bug public, so more eyes can look at it.
** Visibility changed to: Public
** Visibility changed to: Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/857472
Title:
net-update
The attachment Here is a outline of a patch for this, including a test
of this bug report has been identified as being a patch. The ubuntu-
reviewers team has been subscribed to the bug report so that they can
review the patch. In the event that this is in fact not a patch you can
resolve this
17 matches
Mail list logo