Control: severity -1 critical Raising the severity of this, considering I am almost completely done with building the patch for it, I'd really like to see this get into Jessie, and considering that it allows complete compromise of a live image and any installations from it, unless the user actually knows to deploy a work around (which is not discussed at all in documentation and perfectly easy therefore for a user to just assume it is just secure to use with remote archives). Also contacting the security team to inquire about a CVE being issued, for formalities sake.
Worth noting for the record, since this isn't documented anywhere: - The only work around to avoid compromise would be to create and use a local archive instead of a remote one, separately taking steps to ensure integrity of the local archive before use. - Even if you do this, if you opt to use the daily edition of the installer image, this is downloaded directly from a debian server, exposing you to compromise. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
