[Dev] Mirrors vulnerability issue, Many outdated installs in the wild

Denis 'GNUtoo' Carikli GNUtoo at no-log.org
Mon Feb 15 14:12:06 GMT 2016


On Sun, 14 Feb 2016 20:42:02 +0000
Josh Branning <lovell.joshyyy at gmail.com> wrote:

> Thanks for telling about this. I commented out the line and it seems
> to work ok for now.
It does, after upgrading you can even put back the new default
mirrorlist since it has been updated.

My main concerns about that issue are:
-> Many users don't know about it, they used the default configuration
   and are trapped (forever?) into the past.
-> Parabola is vulnerable to outdated mirror, and parabola developers
   can't do nothing about it when it happens. Affected systems live in
   the past.


And that doesn't even take into account MITM or malicious mirrors.
MITM is very easy to fix, assuming we find a way to enforce good https
for all mirrors, onion services don't need fixes.

As for malicious mirrors, we can at least detect it, and with an http
redirect, not make them the first mirror used.

I really hope that bugreport will be taken into account by parabola
developers, and not forgotten and left rotting in the bug tracker.

We should also look if there are any vulnerable packages inside that
outdated mirror. Firefox derivatives such as icecat and iceweasel might
have some, since they are older than the ones in the up to date mirrors.

I've added more information in https://labs.parabola.nu/issues/933

Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20160215/30a7be55/attachment.sig>


More information about the Dev mailing list