[Secure-testing-team] Bug#678950: screen: secure instructions in the most recent NEWS.Debian entry
Christoph Anton Mitterer
calestyo at scientia.net
Mon Jun 25 10:27:41 UTC 2012
Package: screen
Version: 4.1.0~20120320gitdb59704-4
Severity: normal
Tags: security
Hi.
In the most recent NEWS.Debian entry, you describe how users
can retrieve an old version of the screen package in order to
connect to pre 4.1 sesssions.
A security problem IMHO is, that a simple download, not even
https secured (which also wouldn't be that good), is advised.
This makes a "hole" in secure APT; which otherwise only
brings secred packages in the system.
Now there are several ways to get around this, amongst others:
a) Suggest the users instead to add a sources.list entry
for oldstable (where a old screen should be avaiable) and a
command to downgrade to that.
b) Include SHA512 sums for the .deb files of the most recent
4.0.3 version for all architectures.
I'd suggest a), as b) has the disadvantages that the sums get
out of date, once there should be a security upload of a newer
4.0.3 version to oldstable.
Cheers,
Chris.
More information about the Secure-testing-team
mailing list