[Bug 1207810] New: suspicious mirror
http://bugzilla.opensuse.org/show_bug.cgi?id=1207810 Bug ID: 1207810 Summary: suspicious mirror Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: All OS: openSUSE Tumbleweed Status: NEW Severity: Critical Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: lcfork233@proton.me QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Warning: Digest verification failed for file 'bd28fa48d984b87e9f52b9940f844fd074579967dba3469b510d39488984684cbfc2513d2f461fb6bef645f3f17eedbcd23174714908089d819371fe714220f0-primary.xml.gz' [/var/tmp/AP_0xPIL2U8/repodata/bd28fa48d984b87e9f52b9940f844fd074579967dba3469b510d39488984684cbfc2513d2f461fb6bef645f3f17eedbcd23174714908089d819371fe714220f0-primary.xml.gz] expected bd28fa48d984b87e9f52b9940f844fd074579967dba3469b510d39488984684cbfc2513d2f461fb6bef645f3f17eedbcd23174714908089d819371fe714220f0 but got e14006d801ecead6e58949f5b34cf0b56e1ada07493d50ee123080c9a0b26c21e53a8d27e62f3438367a3b435992447d925f13636c47d651fa389dd9a5e5aafe Accepting packages with wrong checksums can lead to a corrupted system and in extreme cases even to a system compromise. However if you made certain that the file with checksum 'e140..' is secure, correct and should be used within this operation, enter the first 4 characters of the checksum to unblock using this file on your own risk. Empty input will discard the file. Unblock or discard? [e140/...? shows all options] (discard): When doing zypper refresh, digest verification failed, and everytime the checksum would change. I used ```curl -LI http://download.opensuse.org/tumbleweed/repo/non-oss/repodata/bd28fa48d984b87e9f52b9940f844fd074579967dba3469b510d39488984684cbfc2513d2f461fb6bef645f3f17eedbcd23174714908089d819371fe714220f0-primary.xml.gz``` to check what mirror is doing funky things, I got opensuse.ucom.am. This mirror seems to have outdated/modified softwares. It seems suspicious and should be avoided at all cost. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207810 Olaf Anthony <lcfork233@proton.me> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207810 http://bugzilla.opensuse.org/show_bug.cgi?id=1207810#c1 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P2 - High |P5 - None CC| |Andreas.Stieger@gmx.de, | |andrii.nikitin@suse.com, | |security-team@suse.de Component|Security |libzypp Assignee|security-team@suse.de |zypp-maintainers@suse.de Summary|suspicious mirror |Digest verification failed | |for file primary.xml.gz | |(opensuse.ucom.am) Severity|Critical |Normal --- Comment #1 from Andreas Stieger <Andreas.Stieger@gmx.de> --- Reporter, there seems to be no data supporting that this is malicious - in any case the digest verification failed and protected the user. Andrii, similar to bug 1207755 can you check if this mirror can be taken out of the rotation? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207810 http://bugzilla.opensuse.org/show_bug.cgi?id=1207810#c2 Andrii Nikitin <andrii.nikitin@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #2 from Andrii Nikitin <andrii.nikitin@suse.com> --- the mirror has been disabled for now, the admin notified -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207810 http://bugzilla.opensuse.org/show_bug.cgi?id=1207810#c3 --- Comment #3 from Andrii Nikitin <andrii.nikitin@suse.com> --- On the second check - the mirror returns correct checksums now, do you have any proof output that it did misbehave in past?
curl -s http://opensuse.ucom.am/tumbleweed/repo/non-oss/repodata/bd28fa48d984b87e9f5... | sha512sum bd28fa48d984b87e9f52b9940f844fd074579967dba3469b510d39488984684cbfc2513d2f461fb6bef645f3f17eedbcd23174714908089d819371fe714220f0
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207810 http://bugzilla.opensuse.org/show_bug.cgi?id=1207810#c4 --- Comment #4 from Michael Andres <ma@suse.com> --- @Andrii: See also https://github.com/openSUSE/zypper/issues/473 and https://bugzilla.suse.com/show_bug.cgi?id=1201355. Visible in the zypper.logs. There opensuse.koyanet.lv returned 204 but no or partial data. This lead to digest errors. After a while opensuse.koyanet.lv started to return the correct data. In the past month we see such issues more often and with different servers. On the zypp side we'll try to enhance the download output, so it tells about the mirrors in use. So we will hopefully detect stray mirrors more easily. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com