thr3ads.net - Secure testing team - [Secure-testing-team] Bug#678950: screen: secure instructions in the most recent NEWS.Debian entry [Jun 2012]

If this information is useful, please help other people find it:
Share via:

Christoph Anton Mitterer

2012-Jun-25 10:27 UTC

[Secure-testing-team] Bug#678950: screen: secure instructions in the most recent NEWS.Debian entry

Package: screen
Version: 4.1.0~20120320gitdb59704-4
Severity: normal
Tags: security


Hi.

In the most recent NEWS.Debian entry, you describe how users
can retrieve an old version of the screen package in order to
connect to pre 4.1 sesssions.

A security problem IMHO is, that a simple download, not even
https secured (which also wouldn''t be that good), is advised.

This makes a "hole" in secure APT; which otherwise only
brings secred packages in the system.


Now there are several ways to get around this, amongst others:
a) Suggest the users instead to add a sources.list entry
for oldstable (where a old screen should be avaiable) and a
command to downgrade to that.


b) Include SHA512 sums for the .deb files of the most recent
4.0.3 version for all architectures.


I''d suggest a), as b) has the disadvantages that the sums get
out of date, once there should be a security upload of a newer
4.0.3 version to oldstable.


Cheers,
Chris.

Secure testing team - Jun 2012 - Bug#678950: screen: secure instructions in the most recent NEWS.Debian entry

[Secure-testing-team] Bug#678950: screen: secure instructions in the most recent NEWS.Debian entry