Package: apt Version: 1.0.9.6 Severity: important Tags: security
Hi Davit (et all). Just the same time we're having a similar discussion about this at with the security time, I got hit by it again in another manner. As we now all know, apt unfortunately doesn't tell people (adequately) when updating the package lists have failed, e.g.: # apt-get update Hit http://debian.mirror.lrz.de stable Release.gpg Err http://security.debian.o stable/updates Release.gpg Could not resolve 'security.debian.o' Err http://security.debin.o stable/updates Release.gpg Could not resolve 'security.debin.o' Hit http://debian.mirror.lrz.de stable-updates Release.gpg Err http://debian.mirror.lrz.d oldstable Release.gpg Could not resolve 'debian.mirror.lrz.d' Err http://debian.mirror.lrz.d stable Release.gpg Could not resolve 'debian.mirror.lrz.d' Err http://debian.mirror.lrz.d stable-updates Release.gpg Could not resolve 'debian.mirror.lrz.d' Hit http://debian.mirror.lrz.de stable Release Hit http://debian.mirror.lrz.de stable-updates Release Hit http://debian.mirror.lrz.de stable/main Sources Hit http://debian.mirror.lrz.de stable/contrib Sources Hit http://debian.mirror.lrz.de stable/non-free Sources Hit http://debian.mirror.lrz.de stable-updates/main Sources Hit http://debian.mirror.lrz.de stable-updates/contrib Sources Hit http://debian.mirror.lrz.de stable-updates/non-free Sources Reading package lists... Done W: Failed to fetch http://debian.mirror.lrz.d/debian/dists/oldstable/Release.gpg Could not resolve 'debian.mirror.lrz.d' W: Failed to fetch http://debian.mirror.lrz.d/debian/dists/stable/Release.gpg Could not resolve 'debian.mirror.lrz.d' W: Failed to fetch http://debian.mirror.lrz.d/debian/dists/stable-updates/Release.gpg Could not resolve 'debian.mirror.lrz.d' W: Failed to fetch http://security.debian.o/debian-security/dists/stable/updates/Release.gpg Could not resolve 'security.debian.o' W: Failed to fetch http://security.debin.o/debian-security/dists/stable/updates/Release.gpg Could not resolve 'security.debin.o' W: Some index files failed to download. They have been ignored, or old ones used instead. # echo $? 0 1) I've already expressed my concerns before, that Warning and exit=0 isn't enough here. People may depend on the package lists being up-to-date for example for unattended upgrades or checking for upgradable packages via Nagios (check_apt) and friends. An attacker can of course rather easily just block these downloads, thus if this doesn't get properly noted, he can easily prevent and further upgrades from being installed (with automated unattended upgrades) respectively prevent that people even notice that upgrades are available. So the first issue here is that apt is to silent about this. 2) The second problem is IMHO sepcifically in /etc/cron.daily/apt and would even persist when (1) is solved. That script is in principle really nice as it gives one quite powerful means to automatically handle some things (updating package lists, etc.) But a bit problem is, that it basically fails silently in all cases of problems. VERBOSE mode is of course not really a solution as this would give *always* warnings via cron. So the second issue is, that /etc/cron.daily/apt never tells people when anything didn't work (e.g. updates, upgrades, or whatever). So one has never a chance to notice this, and never a chance to fix it. In some cases of what it's intended to do (i.e. package list updates or upgrades) this may very easily have security implications (e.g. in combination with blocking attacks). Best wishes, Chris. _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
