[Nagiosplug-devel] [ nagiosplug-Bugs-3539319 ] check_apt should check whether ALL repositories are availabl

SourceForge.net noreply at sourceforge.net
Sun Jul 1 21:02:19 CEST 2012


Bugs item #3539319, was opened at 2012-07-01 12:00
Message generated for change (Comment added) made by calestyo
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=3539319&group_id=29880

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
>Category: General plugin execution
Group: None
Status: Open
Resolution: None
>Priority: 9
Private: No
Submitted By: Cálestyo (calestyo)
Assigned to: Nobody/Anonymous (nobody)
Summary: check_apt should check whether ALL repositories are availabl

Initial Comment:
From: http://tracker.nagios.org/view.php?id=300

Hi.

Marking this as major as it's security relevant.

Regardless of whether one uses check_apt for doing real upgrading, or only for checking (--no-upgrade), it's crucial that all configured (via sources.list and friends) repositories are "loaded" and "recent" enough.

Otherwise an attacker could just block updates (of the package lists) or do downgrade attacks.


As far as I can see the following must be checked:
a) For each repository configured in sources.list AND any other sources location (e.g. sources.list.d/*) the necessary Release files must be present in /var/lib/apt/lists/ .
I hope the presence of a Release file or a specific repository means, that all related files (Packages files, etc.) have been downloaded and verified (-> signatures).
(Are there race condition issues, when an automatic package list upgrade happens while the check_apt takes place?)

If any is missing, this means that repos are missing and a blocking attack could be happening.


b) For ALL Release files, the current date must be between, these values within the file:
Date: Sun, 18 Mar 2012 12:12:06 UTC
Valid-Until: Wed, 28 Mar 2012 12:12:06 UTC

If not, a downgrade attack could be in place.


If a) or b) is true, the check's result should be CRITICAL, with a warning on what has happened.

Perhaps a options should be added to disable this checks, but I think it would be dangerous. Better not provide them or at least warn aloud from their usage.


Cheers,
Chris. 

----------------------------------------------------------------------

>Comment By: Cálestyo (calestyo)
Date: 2012-07-01 12:02

Message:
One addition:
Another option should be added, that allow the user to narrow down (but NOT
to enlarge!!) the interval given by Date/Valid-Until, when checking whether
the current time is in between.
The current interval seems to be quite large.



Typically (but at least for testing/unstable) the Release files/etc are
generated far more often than just once in the interval.
So you'll get new files say daily and therefore it should be possible to
narrow the interval down on the client side.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=3539319&group_id=29880




More information about the Devel mailing list