Your message dated Mon, 21 Mar 2011 14:54:28 +0000
with message-id <e1q1gv2-0004ix...@franck.debian.org>
and subject line Bug#442180: fixed in win32-loader 0.7.0
has caused the Debian Bug report #442180,
regarding make the network mode work securely
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
442180: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=442180
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package: win32-loader
Version: 0.6.0~pre3
Severity: critical
Tags: security
Justification: root security hole
The default boot option used by this package contains the following:
preseed/url=http://goodbye-microsoft.com/runtime/preseed.cfg
As seen when inspecting the document available at this URL this boot
option is used to run a given command by the time of the installation
of Debian GNU/Linux. The command to be run (as root) is retrieved from
the document available at the given URL.
If an attcker is able to hijack or otherwise influence the DNS server
used when Debian GNU/Linux is installed using win32-loader, she may be
able to run any command that is available on the system to be installed
as root by redirecting requests to a different web server which provides
a given arbitrary command at the same URL.
On a side note, a default setting making users take part in a statistic
analysis and gathering users' requests in a single location can be
considered a privacy risk or issue. (This is the same for suggesting to
install Firefox with the Google toolbar but that's a complete different
story.)
I'm looking forward to see this software mature (even further).
Moritz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG6aTmn6GkvSd/BgwRCk7RAJ0etU8gzz8Pg68WpPFiEzz39XkrEACfSm9Q
GNLRj5k8J4PDtuP+vttJ/hg=
=0zuX
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: win32-loader
Source-Version: 0.7.0
We believe that the bug you reported is fixed in the latest version of
win32-loader, which is due to be installed in the Debian FTP archive:
win32-loader_0.7.0.dsc
to main/w/win32-loader/win32-loader_0.7.0.dsc
win32-loader_0.7.0.tar.gz
to main/w/win32-loader/win32-loader_0.7.0.tar.gz
win32-loader_0.7.0_all.deb
to main/w/win32-loader/win32-loader_0.7.0_all.deb
win32-loader_0.7.0_all.exe byhand
win32-loader_0.7.0_all.txt byhand
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 442...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Didier Raboud <o...@debian.org> (supplier of updated win32-loader package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 21 Mar 2011 13:40:11 +0100
Source: win32-loader
Binary: win32-loader
Architecture: source all
Version: 0.7.0
Distribution: unstable
Urgency: low
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Didier Raboud <o...@debian.org>
Description:
win32-loader - Debian-Installer loader for win32
Closes: 442180 617397 617702 618663
Changes:
win32-loader (0.7.0) unstable; urgency=low
.
The « Petite Arvine » release.
.
* Standalone flavour:
- Fork gcrypt's win32 sha1um implementation into a NSIS plugin.
- Implement the last "Trusted download" bits:
1) Check Release{,.gpg} against debian-archive-keyring.gpg.
2) Check installer MD5SUMS against its sha1sum in Release, thanks to
FTP Masters for the archive-side changes.
3) Check kernel and initrd against their md5sum in MD5SUMS.
- Print downloaded URLs to details buffer.
.
* Network flavour:
- Don't download g2ldr{,.mbr} from the net: too tiny to be worth.
- Make the network mode work securely by allowing preseed.cfg checksum
embedding (Closes: #442180).
.
* Updated translations:
- Galician (Miguel Anxo Bouzada, Closes: #617397)
- Belarusian (Viktar Siarheichyk, Closes: #617702)
- Swedish (Martin Bagge, Closes: #618663)
.
* Bug-fixing:
- Don't create a useless boot.ini at uninstall time if it doesn't exist.
Checksums-Sha1:
dba9945ca6f29e361446fa4f1262b740ed99feeb 1276 win32-loader_0.7.0.dsc
3ce0af4fcbdfe4b96e0432c4f25f6158c1f8518f 201405 win32-loader_0.7.0.tar.gz
f6461b2911247e35523f825c9383c307fef03b2a 423060 win32-loader_0.7.0_all.deb
f194d700d92ede42c18849766254c837ae4c7076 864243 win32-loader_0.7.0_all.exe
d8ffdb3d17db1e3ba21171c2b9a9c0ced8890cdd 3717 win32-loader_0.7.0_all.txt
Checksums-Sha256:
09f614fd34b9b46cac95b7f8f21ac7d9ebc57fa68cfc2caeae5332dcf5f500c5 1276
win32-loader_0.7.0.dsc
713f1d458caca9fa0a31c59b6e000f2607adb149b90df69fbc020ab23edf65a6 201405
win32-loader_0.7.0.tar.gz
9db2a1be6ecb6d83457188b7dc1e1954bfd3c9406c30cfceb6b4fb6bbd88a358 423060
win32-loader_0.7.0_all.deb
abe981779e2328872529963713c2c2486b7688f591687f29023e4faf86f1093c 864243
win32-loader_0.7.0_all.exe
a36bfde3be3cf558413eef5cbd8b3d4ef54ff3c0def9f87e38b9dd950a9d7220 3717
win32-loader_0.7.0_all.txt
Files:
38b261405672e973347950d0eb3fa7f0 1276 utils extra win32-loader_0.7.0.dsc
8ffc7e0f041b299146e4c693dea271f0 201405 utils extra win32-loader_0.7.0.tar.gz
3c8d672b010739bceec822bff0891b5b 423060 utils extra win32-loader_0.7.0_all.deb
b7ceda05464d62a2500753954afc3fe1 864243 byhand - win32-loader_0.7.0_all.exe
aa51deb3fef6d18a9e399bce2a0e5f5f 3717 byhand - win32-loader_0.7.0_all.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iJwEAQECAAYFAk2HUT4ACgkQKA1Vt+jBwDhRhwP/ScBj85LeXtdKZInixcoMagdp
flVN/ixX9Ata3NFrjcjjI+a3QqS/Mt1D7UmDXOjWVT9dKilxA3Liw2pjqi1lxa1p
HrDKwMPVqb09RVUaVvRFn4/QnhPAsrLVyjj9EXI6+oPWORj+o70vVDi8JaCXSZFw
NlR+/1EJ8gBl1AM6sT8=
=DWM9
-----END PGP SIGNATURE-----
--- End Message ---
