Wrong md5 accepted while downloading $FAI_CONFIG_SRC with http
Christian Meyer
c2h5oh at web.de
Sun Sep 6 20:56:08 CEST 2015
Hello there, specially Thomas,
I'm not shure if it's a bug but I thought I better report it.
I'm using FAI 4.3.3 from Debian stable.
FAI can download $FAI_CONFIG_SRC via http for example from a website.
To secure this *.tar.gz archive a .md5 file (containing the *.tar.gz's checksum)is neccessary.
Without this .md5-file FAI aborts the installation. That's good and expected.
BUT: If the .md5-file contains the wrong checksum (I manually changed it for testing purpuses)
the installation is continued anyway - using the downloaded config.
IMO this is not acceptable. Please skip verification at all or make sure only archives with
valid hash are processed.
BTW: md5 isn't that secure these days. ...
Christian Meyer
More information about the linux-fai
mailing list