From 93f33052de84e9aeaf19c92291d043dad2665bbd Mon Sep 17 00:00:00 2001
From: Julian Andres Klode <julian.klode@canonical.com>
Date: Mon, 2 Dec 2019 11:46:49 +0100
Subject: netrc: Restrict auth.conf entries to https by default

This avoids downgrade attacks where an attacker could inject

Location: http://private.example/

and then (having access to raw data to private.example, for example,
by opening a port there, or sniffing network traffic) read the credentials
for the private repository.

Closes: #945911
---
 debian/NEWS | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'debian')

diff --git a/debian/NEWS b/debian/NEWS
index e8cb4e279..555791602 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
+apt (1.9.5) UNRELEASED; urgency=medium
+
+  Credentials in apt_auth.conf(5) now only apply to https and tor+https
+  sources to avoid them being leaked over plaintext (Closes: #945911). To
+  opt-in to http, add http:// before the hostname. Note that this will transmit
+  credentials in plain text, which you do not want on devices that could be
+  operating in an untrusted network.
+
+ -- Julian Andres Klode <juliank@ubuntu.com>  Mon, 02 Dec 2019 11:45:52 +0100
+
 apt (1.8.0~alpha3) unstable; urgency=medium
 
   The PATH for running dpkg is now configured by the option DPkg::Path,
-- 
cgit v1.2.3