data.coop/ansible
8
3
Fork 7
Code Issues 49 Pull requests 9 Projects 1 Releases Wiki Activity

Pin priorities to exclude non-targeted packages from third-party repositories #95

New issue
Closed
opened 2022-07-22 17:47:31 +00:00 by benjaoming · 0 comments
benjaoming commented 2022-07-22 17:47:31 +00:00
Owner
Copy link

In #90, we added a new repository hosted by Dell. We want specific packages from this repo, but an attacker can place all sorts of packages there and we can upgrade to a compromised package in this way.

For instance, say that we are running the official lib-very-important-4.9.9.security-patch20220101, then an attacker can place lib-very-important-5.0 with a known vulnerability and we'd just install it. They can even AFAIK just copy the package straight, but they will have to update the repository index with Dell's signing key.

But parts of this should be possible to mitigate:

Create a file /etc/apt/preferences.d/dell with contents:

Explanation: Deny all packages from this repo that exist elsewhere
Package: *
Pin: origin "linux.dell.com"
Pin-Priority: 400
In #90, we added a new repository hosted by Dell. We want specific packages from this repo, but an attacker can place all sorts of packages there and we can upgrade to a compromised package in this way. For instance, say that we are running the official lib-very-important-4.9.9.security-patch20220101, then an attacker can place lib-very-important-5.0 with a known vulnerability and we'd just install it. They can even AFAIK just copy the package straight, but they will have to update the repository index with Dell's signing key. But parts of this should be possible to mitigate: Create a file `/etc/apt/preferences.d/dell` with contents: ``` Explanation: Deny all packages from this repo that exist elsewhere Package: * Pin: origin "linux.dell.com" Pin-Priority: 400 ```
👍 1
benjaoming added the
Security Hardening
 label 2022-07-22 17:47:31 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
reynir-patch-1
proxmox
diun
use_sudo
woodpeckerci
linting
mailman
listmonk
sshd-password
No results found.
Labels
Clear labels   
Blocked

Something is blocking progress

  
Existing Service

Issues/improvements regarding existing services

  
Infrastructure Issue

Infrastructure issue that needs investigation or time to fix

  
Refactor

Refactoring of files / file structure or other improvements

  
Security Hardening

Non-verified / non-critical security improvements

  
Security Issue

Urgent security issue that needs to be fixed ASAP

  
Service Idea

Ideas for new services

  
Service Removal

Removal of services for one reason or another

  
Upgrade service
No labels
Blocked
Existing Service
Infrastructure Issue
Refactor
Security Hardening
Security Issue
Service Idea
Service Removal
Upgrade service
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: data.coop/ansible#95
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?