summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
authorJulian Andres Klode <julian.klode@canonical.com>2019-12-02 11:46:49 +0100
committerJulian Andres Klode <julian.klode@canonical.com>2019-12-02 14:27:38 +0100
commit93f33052de84e9aeaf19c92291d043dad2665bbd (patch)
tree667c4240b6f6fb9c91ae20b655478508b09d6214 /debian
parent1690c3f87ae45a41e8d3e09bf0b1021c008460b9 (diff)
netrc: Restrict auth.conf entries to https by default
This avoids downgrade attacks where an attacker could inject Location: http://private.example/ and then (having access to raw data to private.example, for example, by opening a port there, or sniffing network traffic) read the credentials for the private repository. Closes: #945911
Diffstat (limited to 'debian')
-rw-r--r--debian/NEWS10
1 files changed, 10 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS
index e8cb4e279..555791602 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
+apt (1.9.5) UNRELEASED; urgency=medium
+
+ Credentials in apt_auth.conf(5) now only apply to https and tor+https
+ sources to avoid them being leaked over plaintext (Closes: #945911). To
+ opt-in to http, add http:// before the hostname. Note that this will transmit
+ credentials in plain text, which you do not want on devices that could be
+ operating in an untrusted network.
+
+ -- Julian Andres Klode <juliank@ubuntu.com> Mon, 02 Dec 2019 11:45:52 +0100
+
apt (1.8.0~alpha3) unstable; urgency=medium
The PATH for running dpkg is now configured by the option DPkg::Path,