Security implications?
Bug #756939 reported by
justinsb
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| squid-deb-proxy (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Bug Description
(Originally asked as Question #152345, but converted to a bug as requested)
I think the squid deb proxy combined with zeroconf is a brilliant idea. I have a question about security: presumably with zeroconf anyone on my network could advertise a proxy; I know that everything is GPG signed, so there's no (realistic) risk of getting fake packages, but presumably an attacker could still serve old repositories with known vulnerabilities (?)
Is there a way to force the request for the 'Release' file to go to an official ubuntu server (ideally over https), while still downloading every other file from the proxy?
Revision history for this message
| Dustin Kirkland (kirkland) wrote | #1 |
| Changed in squid-deb-proxy (Ubuntu): | |
| importance: | Undecided → High |
| status: | New → Incomplete |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #2 |
| Changed in squid-deb-proxy (Ubuntu): | |
| status: | Incomplete → Invalid |
To post a comment you must log in.
Marking 'High'. Marking 'Incomplete', waiting for feedback from the Ubuntu Security Team (subscribed).
Ubuntu-Security-
What do you think?