Security implications?
Bug #756939 reported by
justinsb
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
squid-deb-proxy (Ubuntu) |
Invalid
|
High
|
Unassigned |
Bug Description
(Originally asked as Question #152345, but converted to a bug as requested)
I think the squid deb proxy combined with zeroconf is a brilliant idea. I have a question about security: presumably with zeroconf anyone on my network could advertise a proxy; I know that everything is GPG signed, so there's no (realistic) risk of getting fake packages, but presumably an attacker could still serve old repositories with known vulnerabilities (?)
Is there a way to force the request for the 'Release' file to go to an official ubuntu server (ideally over https), while still downloading every other file from the proxy?
To post a comment you must log in.
Marking 'High'. Marking 'Incomplete', waiting for feedback from the Ubuntu Security Team (subscribed).
Ubuntu-Security-
What do you think?