[Bug 1013681] Re: make apt-key net-update secure

Colin Watson cjwatson at canonical.com
Wed Sep 12 15:37:18 UTC 2012


I'm fine with the signed-keyring-file approach too, although I haven't
confirmed that there are no attacks possible on the code used to verify
*that* signature.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1013681

Title:
  make apt-key net-update secure

Status in “apt” package in Ubuntu:
  Triaged
Status in “apt” source package in Quantal:
  Triaged

Bug description:
  Attacks are being performed against the 'apt-key net-update' command
  and it is not considered secure. While it is in the process of being
  disabled in Ubuntu, it should be improved to be secure.

  References:
  https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472
  https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128
  https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013639
  http://seclists.org/fulldisclosure/2011/Sep/222
  http://seclists.org/fulldisclosure/2012/Jun/267
  http://seclists.org/fulldisclosure/2012/Jun/271
  http://seclists.org/fulldisclosure/2012/Jun/289

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013681/+subscriptions




More information about the foundations-bugs mailing list