[ubuntu-hardened] Ubuntu security repository and replay attacks on package managers

Alexander Konovalenko alexkon at gmail.com
Sat Aug 23 03:41:20 BST 2008

At <http://www.outflux.net/blog/archives/2008/08/20/ubuntu-security-repository-structure/>
Kees Cook wrote:
> In this way, mirrors cannot (accidentally or intentionally)
> "go rogue" — the latest security updates are always visible
> on the security archive server.

Provided that the DNS and routing are working as expected.

But what if they're not? What if the IP address of security.ubuntu.com
or the routing table have been altered via DNS, ARP or DHCP spoofing,
and the false mirror and security.ubuntu.com are serving outdated
package lists? Will the package manager notice that and complain to
the user?

More information about the ubuntu-hardened mailing list