Package: inetsim Version: 1.2.7+dfsg.1-1 Severity: serious Debian source and binary packages for INetSim have been provided with the official inetsim.org APT repository for 10+ years, see <https://www.inetsim.org/packages.html>.
Earlier versions of our .deb packages did not comply with the Debian policy as they included precompiled Windows executables. More than a year ago, we decided to change this by re-building the binaries at package build time using gcc-mingw-w64-i686 and prepared the necessary code changes in the development branch. However, users of INetsim asked us not to change the sample binaries included with INetSim since the first release, so we postponed this change for the release branch. Background: INetSim is used with lots of automated malware analysis systems at AV companies and other security orgs around to world. Many of those systems use the well-known hashsums of the sample binaries to evaluate if a malware tries to download an executable file. With the release of INetSim version 1.3.0, we finally decided to merge this change into the release branch and make the postinst script show a warning on the change of the binaries to the user on installation/upgrade along with instructions on how to download the old binaries from the project website and install them manually if needed. We have now been made aware that an older version of INetSim has already been included in the official Debian repository (unfortunately, we did not know about this) and the package now also available in Debian 10 replaces the original sample binaries with recompiled versions without showing any warning to the user, which is a VERY BAD idea as explained before. Many users use our apt repository for installing INetSim while others download the .deb and install it manually using dpkg. If a system was running Debian 9 with INetSim (< 1.2.7) installed manually (or via apt with a lower priority configured for our repository) and the system is now upgraded to Debian 10, INetSim will be upgraded to the version included with the official Debian repository and the user will not be notified of the change of the sample binaries. To prevent more automated malware analysis systems using INetSim from creating false reports due to this (unintended) upgrade, we would like to ask you to release updated packages for INetSim showing a warning on the change of the sample binaries along with instructions on how to install the old binaries for Debian 10 through debian-updates or even debian-security as soon as possible. Another issue: The postinst script of the Debian 10 package copies all files from /usr/share to /var/lib, including the files in data/certs. So it will a) overwrite existing certificate files and b) never generate a custom certficate. The correct workflow should be: a) Keep existing certificate files on upgrades b) If one of the files does not exist, try using OpenSSL to generate a custom certificate c) If that fails, copy the files from /usr/share/intersim/data/certs Also, the inetsim 1.2.8 package available in testing/unstable has the following dependencies: Recommends: libio-socket-ssl-perl, openssl Suggests: libiptables-ipv4-ipqueue-perl, iptables This is not correct, as INetSim has been using libnfqueue-perl instead of libiptables-ipv4-ipqueue-perl since version 1.2.8. This package should be recommended instead of suggested. So the correct dependencies should look like: Recommends: libio-socket-ssl-perl, openssl, libnfqueue-perl, iptables Please consider using the Debian sources provided with our apt source repository (see <https://www.inetsim.org/packages.html>). Kind regards Thomas Hungenberg & Matthias Eckert INetSim Development Team
