net-retriever relies on MD5SUMs, should use SHA256

Bug #1191993 reported by Alec Warner on 2013-06-17
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
net-retriever (Ubuntu)

Bug Description

I was trying to get d-i to use my new shiny (not yet released) mirror setup. During testing, I noticed that net-retriever was failing to parse my Release files because my MD5Sum: lines were "MD5Sum: $" and not the expected "MD5Sum:$".

I fixed the bug in my Release file generator and moved on. However, net-retriever should probably be switched to rely on stronger checksums that are less prone to collisions than MD5Sum.

Then I downloaded lp:ubuntu/net-retriever and verified that it was still vulnerable.

I am using net-retriever from Precise (1.29ubuntu1).

I don't think we care too much if it is fixed in Precise, but it should be fixed before T.


Changed in net-retriever:
status: Unknown → New
Changed in net-retriever:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.