From 93f33052de84e9aeaf19c92291d043dad2665bbd Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Mon, 2 Dec 2019 11:46:49 +0100 Subject: netrc: Restrict auth.conf entries to https by default This avoids downgrade attacks where an attacker could inject Location: http://private.example/ and then (having access to raw data to private.example, for example, by opening a port there, or sniffing network traffic) read the credentials for the private repository. Closes: #945911 --- debian/NEWS | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'debian') diff --git a/debian/NEWS b/debian/NEWS index e8cb4e279..555791602 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,13 @@ +apt (1.9.5) UNRELEASED; urgency=medium + + Credentials in apt_auth.conf(5) now only apply to https and tor+https + sources to avoid them being leaked over plaintext (Closes: #945911). To + opt-in to http, add http:// before the hostname. Note that this will transmit + credentials in plain text, which you do not want on devices that could be + operating in an untrusted network. + + -- Julian Andres Klode Mon, 02 Dec 2019 11:45:52 +0100 + apt (1.8.0~alpha3) unstable; urgency=medium The PATH for running dpkg is now configured by the option DPkg::Path, -- cgit v1.2.3-70-g09d2