codeblog code is freedom — patching my itch

August 20, 2008

Ubuntu security repository structure

Filed under: Blogging,Security,Ubuntu,Ubuntu-Server — kees @ 12:04 pm

Miguel Ruiz asked about Ubuntu security repositories. Here’s how things are done:

The “security.ubuntu.com” archive contains explicitly only the “$RELEASE-security” pockets. It is included in all Ubuntu sources.list files so that the package manager knows what the most recent security release of a package will be.

The central “archive.ubuntu.com” server (and all the Ubuntu mirrors) also contain the “$RELEASE-security” pockets, in addition to the rest of the archive (and will continue to have all pockets — which answers the core of Miguel’s question). While mirrors are not required to mirror the -security pocket, it certainly helps with the load on the primary Ubuntu archive servers.

The “security.ubuntu.com” entry is last in sources.list, giving the option of pulling an updated package from an earlier mentioned mirror (resulting in a faster download for the user, and less bandwidth used by the central Ubuntu archive servers). In the case that the mirror is behind, the package is available directly from “security.ubuntu.com”. In this way, mirrors cannot (accidentally or intentionally) “go rogue” — the latest security updates are always visible on the security archive server.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

3 Comments

  1. Kees,

    Your reply was outstanding and it clarified my doubts.

    Thanks !

    Comment by Miguel Ruiz — August 20, 2008 @ 10:43 pm

  2. “In this way, mirrors cannot (accidentally or intentionally) “go rogue” — the latest security updates are always visible on the security archive server.”

    Provided that the DNS and routing are working as expected.

    But what if they’re not? What if the IP address of security.ubuntu.com or the routing table are altered via DNS, ARP or DHCP spoofing, and the false security.ubuntu.com is serving outdated package lists? Will the package manager notice that and complain to the user?

    Comment by Alexander Konovalenko — August 21, 2008 @ 8:16 pm

  3. The Releases file is GPG signed and verified by the package manager. This means interruptions/misdirections in DNS or IP connectivity just result in a denial of service to getting updates (rather than seeing trojaned updates or anything like that) since the resulting Releases file would not be signed by the trusted source.

    These sort of package manager attacks have been well studied, and you can see more here:
    http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html

    For Ubuntu it seems that only “freezing” is possible (since the package manager won’t install _old_ software if it already has a new update). (The “endless data” attack is possible too, but is just another denial of service.) Frankly, if someone has gained that much control over your network, there are a lot of other things to worry about. :)

    Comment by kees — August 28, 2008 @ 10:08 am

Powered by WordPress