On Mon, Jun 16, 2014 at 12:04:51PM +0200, Thorsten Glaser wrote:
> On Thu, 12 Jun 2014, David Kalnischkies wrote:
> > For your attack to be (always) successful, you need a full-sources
> > mirror on which you modify all tarballs, so that you can build a valid
> > Sources file. You can't just build
On Thu, 12 Jun 2014, David Kalnischkies wrote:
> For your attack to be (always) successful, you need a full-sources
> mirror on which you modify all tarballs, so that you can build a valid
> Sources file. You can't just build your attack tarball on demand as the
Erm, no? You can just cache a work
On Thu, Jun 12, 2014 at 01:06:28AM +0200, Christoph Anton Mitterer wrote:
> In my opinion this is really some horrible bug... probably it could have
> been very easily found by others, and we have no idea whether it was
> exploited already or not.
Probably yes. Someone in the last ~11 years could
On Thu, 12 Jun 2014, Christoph Anton Mitterer wrote:
> Anyone who believed in getting trusted sources might have been attacked
> with forged packages, and even the plain build of such package might
> have undermined users' security integrity.
Then I believe Debian itself may be undermined.
> The
Christoph Anton Mitterer wrote:
> reopen 749795
> I'm reopening this for now, even if the issue is solved from a technical
> point of view (see below why).
AAICS, #749795 talked about bringing this to the security team's
attention, but they never seem to have been CCed.
So the security team may n
reopen 749795
stop
Hi.
I'm reopening this for now, even if the issue is solved from a technical
point of view (see below why).
In my opinion this is really some horrible bug... probably it could have
been very easily found by others, and we have no idea whether it was
exploited already or not.
6 matches
Mail list logo
