Prev-20 Home Next-20 10 msg Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 pa... apt-get may accept inconsistent data \ Stefan Tichy (3 May 2008) . \ Goswin von Brederlow (3 May 2008) . . \ Stefan Tichy (4 May 2008) . . . \ Goswin von Brederlow (4 May 2008) . . . . \ Stefan Tichy (4 May 2008) . . . . . \ Goswin von Brederlow (4 May 2008) . . . . . . \ Bernd Eckenfels (4 May 2008) . . . . . . . \ Goswin von Brederlow (5 May 2008) . . . . . . \ Stefan Tichy (5 May 2008) . . . . . . \ Cameron Dale (6 May 2008) . . . . . . . \ Goswin von Brederlow (8 May 2008) . . . . . . . . \ Cameron Dale (8 May 2008) . . . . . . . . . \ Goswin von Brederlow (8 May 2008) . . . . . . . \ Stefan Tichy (8 May 2008) . \ Bjørn Mork (5 May 2008) 1 msg ins 3 msg 'unprivileged users may hijack forwarded X conn... 4 msg Re: [SECURITY] [DSA 1550-1] New suphp packages ... 2 msg ia32-lib plans and security support for same 1 msg Contents.gz files in security repositories 2 msg Re: [SECURITY] [DSA 1534-2] New iceape packages... 1 msg Re: [SECURITY] [DSA 1557-1] New phpmyadmin pack... 2 msg Re: [SECURITY] [DSA 1556-1] New perl packages f... 1 msg Re: [SECURITY] [DSA 1555-1] New iceweasel packa... 3 msg pam_unix2 and xscreensaver password to restrictive 1 msg Re: [SECURITY] [DSA 1554-1] New roundup package... 11 msg Kernel upgrade for 3Ware Driver issues? 2 msg Missing sparc binaries for DSA 1551-1 (python2.4) 3 msg Request a security audit for my xiterm+thai pac... 1 msg Augmentez votre pouvoir d achat - Etude en lign... 3 msg Re: [SECURITY] [DSA 1548-1] New xpdf packages f... 2 msg Re: [SECURITY] [DSA 1553-1] New ikiwiki package... 7 msg ClamAV concerns Prev-20 Home Next-20

Prev-Msg Prev-Thread Debian-security May-2008 Next-Thread Next-Msg Subject: Re: apt-get may accept inconsistent data Group: Debian-security From: Goswin von Brederlow Date: 8 May 2008 "Cameron Dale" <camrdale> writes: > On 5/7/08, Goswin von Brederlow <goswin-v-b> wrote: >> "Cameron Dale" <camrdale> writes: >> > 3) getting an HTTP 304 response may be faster than hashing a 20 MB >> > file, especially considering that a request may need to be sent after >> > finding an out of date hash >> >> It may be faster but not authorative. Also on 99.9% of all systems the >> time to checksum 20MB is neglible. And on others it is probably >> insignificant compared to a following apt-get upgrade call. > > It should be authoritative, the only reason it's not would be a broken > proxy, which isn't really apt's or the mirror's fault. Or the timestamp on the mirror is wrong, on any mirror along the mirror path. Or there is a man in the middle attack going on. Security wise the http can not be trusted. MfG Goswin -- To UNSUBSCRIBE, email to debian-security-REQUEST with a subject of "unsubscribe". Trouble? Contact listmaster Prev-Msg Prev-Thread Debian-security May-2008 Next-Thread Next-Msg

© 2004-2008 readlist.com