retitle 659015 apt-build: disables apt's signature checking
severity 659015 grave
tag 659015 + security
found 659015 0.12.42
thanks
apt-build unconditionally passes -o Apt::Get::AllowUnauthenticated=true
to apt-get, that is it disables *all* signature checks allowing MitM
attacks to serve malicious data. It looks like this was introduced in
0.12.42:
* Allow non authenticated installation from apt-build repository.
Closes: #316572, #369173
See also the recent thread on debian-security@[1], esp. [2] suggesting
to use "deb [trusted=yes] ..." in sources.list which would allow
dropping the (global) AllowUnauthenticated=true.
Ansgar
[1] <https://lists.debian.org/debian-security/2015/03/msg00020.html>
[2] <https://lists.debian.org/debian-security/2015/03/msg00026.html>
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
