[Nagiosplug-devel] [ nagiosplug-Bugs-3539319 ] check_apt should check whether ALL repositories are availabl

SourceForge.net noreply at sourceforge.net
Sun Jul 1 21:00:51 CEST 2012

Previous message: [Nagiosplug-devel] [ nagiosplug-Bugs-3539317 ] potential typo in the --help text of check_apt
Next message: [Nagiosplug-devel] [ nagiosplug-Bugs-3539319 ] check_apt should check whether ALL repositories are availabl
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bugs item #3539319, was opened at 2012-07-01 12:00
Message generated for change (Tracker Item Submitted) made by calestyo
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=3539319&group_id=29880

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Cálestyo (calestyo)
Assigned to: Nobody/Anonymous (nobody)
Summary: check_apt should check whether ALL repositories are availabl

Initial Comment:
From: http://tracker.nagios.org/view.php?id=300

Hi.

Marking this as major as it's security relevant.

Regardless of whether one uses check_apt for doing real upgrading, or only for checking (--no-upgrade), it's crucial that all configured (via sources.list and friends) repositories are "loaded" and "recent" enough.

Otherwise an attacker could just block updates (of the package lists) or do downgrade attacks.


As far as I can see the following must be checked:
a) For each repository configured in sources.list AND any other sources location (e.g. sources.list.d/*) the necessary Release files must be present in /var/lib/apt/lists/ .
I hope the presence of a Release file or a specific repository means, that all related files (Packages files, etc.) have been downloaded and verified (-> signatures).
(Are there race condition issues, when an automatic package list upgrade happens while the check_apt takes place?)

If any is missing, this means that repos are missing and a blocking attack could be happening.


b) For ALL Release files, the current date must be between, these values within the file:
Date: Sun, 18 Mar 2012 12:12:06 UTC
Valid-Until: Wed, 28 Mar 2012 12:12:06 UTC

If not, a downgrade attack could be in place.


If a) or b) is true, the check's result should be CRITICAL, with a warning on what has happened.

Perhaps a options should be added to disable this checks, but I think it would be dangerous. Better not provide them or at least warn aloud from their usage.


Cheers,
Chris. 

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=3539319&group_id=29880

Previous message: [Nagiosplug-devel] [ nagiosplug-Bugs-3539317 ] potential typo in the --help text of check_apt
Next message: [Nagiosplug-devel] [ nagiosplug-Bugs-3539319 ] check_apt should check whether ALL repositories are availabl
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Devel mailing list