[Bug 247445] Re: Package managers vulnerable to replay and endless data attacks

[Bug Watch Updater]

** Changed in: debian
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to synaptic in Ubuntu.
https://bugs.launchpad.net/bugs/247445

Title:
  Package managers vulnerable to replay and endless data attacks

Status in “apt” package in Ubuntu:
  Fix Released
Status in “aptitude” package in Ubuntu:
  Fix Released
Status in “synaptic” package in Ubuntu:
  Fix Released
Status in Debian GNU/Linux:
  Fix Released

Bug description:
  Binary package hint: apt

  apt and possibly other Ubuntu package managers capable of downloading
  packages are vulnerable to two kinds of attacks.

  1. Replay attack, where an attacker, by operating a malicious mirror or by spoofing the address of a valid mirror, serves correctly signed but outdated packages lists. As new vulnerabilities are discovered and patched, the users who are using the malicious mirror won't be receiving any updates and will continue running vulnerable software.
  See http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html

  2. Endless data attack, where an attacker serves very long files to a package manager that uses his malicious mirror. That might prevent the package manager from ever completing, leading to the same problem as described above. It might also consume all disk space preventing logging, mail delivery and other system services from running properly.
  See http://www.cs.arizona.edu/people/justin/packagemanagersecurity/otherattacks.html#endlessdata

  There is also an entry on Ubuntu and Debian in the FAQ at
  http://www.cs.arizona.edu/people/justin/packagemanagersecurity/faq.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/247445/+subscriptions