Ubuntu
debootstrap package

Feature request: support for pulling packages from -security and -updates

Bug #1462787 reported by michagogo
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
debootstrap (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

It doesn't really make sense that when using debootstrap to create an Ubuntu <chroot|container|directory|installation|whatever>, old versions of packages will be installed, rather than the latest versions from the archives. The first thing that you'd need to do would be to immediately go and upgrade everything, which is just unnecessary duplication of downloading and installing. An Ubuntu installation (for example, Precise) created by the current version will be extremely insecure.

michagogo (michagogo)
information type: Private Security → Public
information type: Public → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote : Bug is not a security issue

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

information type: Public Security → Public
Revision history for this message
michagogo (michagogo) wrote : Re: [Bug 1462787] [NEW] Feature request: support for pulling packages from -security and -updates

The attack scenario is as follows:
1. A user creates a new Ubuntu installation with debootstrap.
2. The user assumes that, because they're fetching all the packages online
from the server, they're getting the latest versions and don't need to
upgrade immediately.
3. The user is attacked via literally any of the security vulnerabilities
patched in the past up to 3.something years (e.g. Heartbleed).

On Friday, June 19, 2015, Marc Deslauriers <email address hidden>
wrote:

> Thanks for taking the time to report this bug and helping to make Ubuntu
> better. We appreciate the difficulties you are facing, but this appears
> to be a "regular" (non-security) bug. I have unmarked it as a security
> issue since this bug does not show evidence of allowing attackers to
> cross privilege boundaries nor directly cause loss of data/privacy.
> Please feel free to report any other bugs you may find.
>
> ** Information type changed from Public Security to Public
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1462787
>
> Title:
> Feature request: support for pulling packages from -security and
> -updates
>
> Status in debootstrap package in Ubuntu:
> New
>
> Bug description:
> It doesn't really make sense that when using debootstrap to create an
> Ubuntu <chroot|container|directory|installation|whatever>, old
> versions of packages will be installed, rather than the latest
> versions from the archives. The first thing that you'd need to do
> would be to immediately go and upgrade everything, which is just
> unnecessary duplication of downloading and installing. An Ubuntu
> installation (for example, Precise) created by the current version
> will be extremely insecure.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/debootstrap/+bug/1462787/+subscriptions
>

Revision history for this message
Ken Sharp (kennybobs) wrote :

debootstrap --extra-suites=precise-security,precise-updates,precise-backports

Changed in debootstrap (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.