[Bug 1462787] [NEW] Feature request: support for pulling packages from -security and -updates

michagogo 1462787 at bugs.launchpad.net
Sat Jun 20 18:22:45 UTC 2015 

The attack scenario is as follows:
1. A user creates a new Ubuntu installation with debootstrap.
2. The user assumes that, because they're fetching all the packages online
from the server, they're getting the latest versions and don't need to
upgrade immediately.
3. The user is attacked via literally any of the security vulnerabilities
patched in the past up to 3.something years (e.g. Heartbleed).

On Friday, June 19, 2015, Marc Deslauriers <marc.deslauriers at canonical.com>
wrote:

> Thanks for taking the time to report this bug and helping to make Ubuntu
> better. We appreciate the difficulties you are facing, but this appears
> to be a "regular" (non-security) bug.  I have unmarked it as a security
> issue since this bug does not show evidence of allowing attackers to
> cross privilege boundaries nor directly cause loss of data/privacy.
> Please feel free to report any other bugs you may find.
>
> ** Information type changed from Public Security to Public
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1462787
>
> Title:
>   Feature request: support for pulling packages from -security and
>   -updates
>
> Status in debootstrap package in Ubuntu:
>   New
>
> Bug description:
>   It doesn't really make sense that when using debootstrap to create an
>   Ubuntu <chroot|container|directory|installation|whatever>, old
>   versions of packages will be installed, rather than the latest
>   versions from the archives. The first thing that you'd need to do
>   would be to immediately go and upgrade everything, which is just
>   unnecessary duplication of downloading and installing. An Ubuntu
>   installation (for example, Precise) created by the current version
>   will be extremely insecure.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/debootstrap/+bug/1462787/+subscriptions
>

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to debootstrap in Ubuntu.
https://bugs.launchpad.net/bugs/1462787

Title:
  Feature request: support for pulling packages from -security and
  -updates

Status in debootstrap package in Ubuntu:
  New

Bug description:
  It doesn't really make sense that when using debootstrap to create an
  Ubuntu <chroot|container|directory|installation|whatever>, old
  versions of packages will be installed, rather than the latest
  versions from the archives. The first thing that you'd need to do
  would be to immediately go and upgrade everything, which is just
  unnecessary duplication of downloading and installing. An Ubuntu
  installation (for example, Precise) created by the current version
  will be extremely insecure.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/debootstrap/+bug/1462787/+subscriptions

More information about the foundations-bugs mailing list