[Security] Netatalk download unsecured, should be verified.

Question

[Security] Netatalk download unsecured, should be verified.

Closed this issue 7 years ago · 3 comments

Problem

In the Dockerfile the service netatalk is installed like this:

wget http://prdownloads.sourceforge.net/netatalk/netatalk-${netatalk_version}.tar.gz

In particular:

No SSL is being used.
No signatures are verified.

This leaves all users of this image exposed if MITM or similar attacks are / have been performed at build time.

Proposed Solution

Downloads should be done via https://. The official URL seems to be https://downloads.sourceforge.net/project/netatalk/netatalk/3.1.10/netatalk-3.1.10.tar.bz2.
The client (e.g., wget, curl) should verify the SSL certificate.
Preferably, if GPG signatures for netatalk exist (haven't checked), they should also be verified. (Sourceforge doesn't have the best reputation for secure hosting ...)
A new version with the changes above should be released soon.

Answer 1 · 2017-02-19T10:13:38.000Z

You are right: the download should be done, at least, using HTTPS.

I'm going to prepare a patch right now.

Thanks for the report 😃

Answer 2 · 2017-02-19T10:41:59.000Z

I'm replacing wget for curl, as it provides better HTPPS check support.

Also, looking at the cURL man page, it said:

All SSL connections are attempted to be made secure by using the CA certificate bundle installed by default. This makes all connections considered "insecure" fail unless -k, --insecure is used.

so it looks like that certificates are checked by default.

Also, I added the HTTPS url schema you suggested.

Answer 3 · 2017-02-19T10:49:46.000Z

New image generated automatically on Docker Hub: afe4dc65d14d