Package: src:xdeb
Version: 0.6.6
Severity: grave
Tags: security
According to xdeb's documentation it uses apt to download source
packages and defaults to using the system's sources.list, that is
usually remote repositories.
However xdeb disables apt's signature checking:
+---
| apt_pkg.config.set('APT::Get::AllowUnauthenticated', str(True))
+---[ http://sources.debian.net/src/xdeb/0.6.6/aptutils.py/?hl=159#L159 ]
I assume (but did not verify) that this means xdeb will not complain
about a compromised remote repository and build potentially malicous
packages.
Ansgar
_______________________________________________
Secure-testing-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
