Ubuntu

  1. Bug #1464064
  2. Comment #38

Comment 38 for bug 1464064

Revision history for this message
f00-d0g (f00-d0g) wrote (last edit ):

/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\

Hi!

- Please set to high priority, for this still makes RCE possible (experience level: "rt-"pentester)
- All (20.04 default) repositories accept https except for "http://security.ubuntu.com/ubuntu focal-security InRelease" which is quite ironic.
- Reason to support https repositories:
 - Not enabled by default means that nobody is impacted negatively (Same with DNS over TLS).
 - Security in Depth principle, protect APT packages in transit (also) apart from only using verification.
 - Previous RCE CVE's "CVE-2016-1252 + CVE-2019-3462"
   https://security-tracker.debian.org/tracker/CVE-2016-1252
   https://security-tracker.debian.org/tracker/CVE-2019-3462

PLEASE NOTE THAT SOME BLACKHATS ARE TRYING TO GET THIS BUGFIX SWIPED AWAY. (I do not have an NDA and i am impacted by this, they can go fuck themselves for today.)

Kind Regards

/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\