[Security] Netatalk download unsecured, should be verified.
Closed this issue · 3 comments
Problem
In the Dockerfile
the service netatalk
is installed like this:
wget http://prdownloads.sourceforge.net/netatalk/netatalk-${netatalk_version}.tar.gz
In particular:
- No SSL is being used.
- No signatures are verified.
This leaves all users of this image exposed if MITM or similar attacks are / have been performed at build time.
Proposed Solution
- Downloads should be done via
https://
. The official URL seems to behttps://downloads.sourceforge.net/project/netatalk/netatalk/3.1.10/netatalk-3.1.10.tar.bz2
. - The client (e.g.,
wget
,curl
) should verify the SSL certificate. - Preferably, if GPG signatures for
netatalk
exist (haven't checked), they should also be verified. (Sourceforge doesn't have the best reputation for secure hosting ...) - A new version with the changes above should be released soon.
You are right: the download should be done, at least, using HTTPS.
I'm going to prepare a patch right now.
Thanks for the report 😃
I'm replacing wget for curl, as it provides better HTPPS check support.
Also, looking at the cURL man page, it said:
All SSL connections are attempted to be made secure by using the CA certificate bundle installed by default. This makes all connections considered "insecure" fail unless -k, --insecure is used.
so it looks like that certificates are checked by default.
Also, I added the HTTPS url schema you suggested.
New image generated automatically on Docker Hub: afe4dc65d14d