View Issue Details

IDProjectCategoryView StatusLast Update
0000667bareos-core[All Projects] installer / packagespublic2019-09-03 10:54
ReporterjungingenAssigned Tostephand 
PrioritylowSeverityminorReproducibilityalways
Status feedbackResolutionopen 
PlatformOSLinuxOS VersionUbuntu 16.04 LTS
Product Version15.2.3 
Fixed in Version 
Summary0000667: Ubuntu repository uses weak digest algorithm (SHA1)
DescriptionUbuntu 16.04 LTS gives an error on installing Bareos through repositories - experimental and stable, because of the weak digest algorithm:

http://download.bareos.org/bareos/release/latest/xUbuntu_14.04/
http://download.bareos.org/bareos/experimental/nightly/xUbuntu_16.04/


Steps To ReproduceAfter adding repository and installing the key, apt-get update gives the following error:

W: http://download.bareos.org/bareos/experimental/nightly/xUbuntu_16.04/Release.gpg: Signature by key 2FC04F7E3421E21B70F3231F7A855ABDE0F8EFD4 uses weak digest algorithm (SHA1)
TagsNo tags attached.
bareos-master: impactyes
bareos-master: actionwill care
bareos-19.2: impact
bareos-19.2: action
bareos-18.2: impact
bareos-18.2: action
bareos-17.2: impact
bareos-17.2: action
bareos-16.2: impactyes
bareos-16.2: actionwill care
bareos-15.2: impactyes
bareos-15.2: actionwill care
bareos-14.2: impactyes
bareos-14.2: actionwill care
bareos-13.2: impactno
bareos-13.2: action
bareos-12.4: impactno
bareos-12.4: action

Activities

joergs

joergs

2016-10-24 15:57

administrator   ~0002407

We use a private instance of http://openbuildservice.org/ (OBS) to build our Linux packages. As this is only a warning, we do not consider it urgent to fix this issue. However, recent releases of OBS (>= 2.7.0) have fixed this issue, by signing also with SHA256, see https://github.com/openSUSE/obs-sign/commit/688d5fa695c4756bf5c9825ed390112d23270bf0

We plan to update our build infrastructure when we find time for this.
monotek

monotek

2016-11-08 19:27

reporter   ~0002440

Would be nice you could reconsider this decission because our repos are managed by puppet which has problems running without erros when "apt-get update" is executed.
tudor

tudor

2016-11-09 06:48

reporter   ~0002441

+1 this affects pretty much every Ubuntu user who's upgraded recently also. I actively discourage my team from ignoring warnings like this as it's a bad habit to get into and paves the way for real attacks on our security.
kim-sondrup

kim-sondrup

2017-03-03 18:34

reporter   ~0002594

+1 also here having starting troubles when using the repo with Puppet
stephand

stephand

2019-09-03 10:54

developer   ~0003567

Does this Puppet related problem still exist with the current bareos 18.2 repos?

Issue History

Date Modified Username Field Change
2016-06-14 12:22 jungingen New Issue
2016-10-24 15:57 joergs Note Added: 0002407
2016-10-24 15:59 joergs bareos-master: impact => yes
2016-10-24 15:59 joergs bareos-master: action => will care
2016-10-24 15:59 joergs bareos-16.2: impact => yes
2016-10-24 15:59 joergs bareos-16.2: action => will care
2016-10-24 15:59 joergs bareos-15.2: impact => yes
2016-10-24 15:59 joergs bareos-15.2: action => will care
2016-10-24 15:59 joergs bareos-14.2: impact => yes
2016-10-24 15:59 joergs bareos-14.2: action => will care
2016-10-24 15:59 joergs bareos-13.2: impact => no
2016-10-24 15:59 joergs bareos-12.4: impact => no
2016-10-24 15:59 joergs Priority normal => low
2016-10-24 15:59 joergs Severity major => minor
2016-10-24 15:59 joergs Status new => confirmed
2016-11-08 19:27 monotek Note Added: 0002440
2016-11-09 06:48 tudor Note Added: 0002441
2017-03-03 18:34 kim-sondrup Note Added: 0002594
2017-10-02 15:02 joergs Assigned To => stephand
2017-10-02 15:02 joergs Status confirmed => assigned
2019-09-03 10:54 stephand Status assigned => feedback
2019-09-03 10:54 stephand Note Added: 0003567