| Summary: | 6 of the mirrors available now lead to a web proxy selling service. They all have proxy in the host name of the url. | ||
|---|---|---|---|
| Product: | Infrastructure | Reporter: | katnatek <j.alberto.vc> |
| Component: | Others | Assignee: | Sysadmin Team <sysadmin-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | critical | ||
| Priority: | release_blocker | CC: | LpSolit, davidwhodgins, ouaurelien, pterjan, sysadmin-bugs, yvesbrungard |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://eu13.proxysite.com/process.php/distrib/cauldron/i586/install/images/Mageia-8-netinstall-nonfree-i586.iso | ||
| Whiteboard: | |||
| Source RPM: | CVE: | ||
| Status comment: | |||
|
Description
katnatek
2021-02-18 05:01:39 CET
Confirmed. All six of the mirrors listed at http://mirrors.mageia.org/ with proxy in their name are now going to some sites selling proxy services. Are they new mirror entries added by a spammer or did they used to actually provide mirror services? While this is an infrastructure bug, I consider it a release blocker for the final release of Mageia 8. Severity:
normal =>
critical
Dave Hodgins
2021-02-18 06:24:07 CET
Summary:
Mirror of netinstall nonfree don't works (maybe don't exist) =>
6 of the mirrors available now lead to a web proxy selling service. They all have proxy in the host name of the url. katnatek, the other sites listed under the URLS column that are not red do still work, such as https://mirror.math.princeton.edu/pub/mageia/distrib/8/i586/install/images/Mageia-8-netinstall-nonfree-i586.iso Thus, to be explicite and for reference: eu13.proxysite.com nl.hideproxy.me websiteproxy.net us1.proxysite.xyz us8.freeproxy.win us8.webproxy.best Note that ftp.linux.org.tr is said syncing on one of them, but is uptodate, thus the information is probably erroneous. CC:
(none) =>
yves.brungard_mageia The 6 mirrors, all added on 2021-02-06, were deleted but I thought the URL was tested when added a new mirror.
mirrors=> select * from hosts where hostname like '%proxy%';
hostname | country | city | readonly | infourl | hostby | sponsorurl | comment | contact | syncfrom | public | bandwidth | latitude | longitude | added
--------------------+---------+---------------+----------+---------+--------+------------+---------+---------+--------------------------------+--------+-------------+----------+-----------+----------------------
---------
eu13.proxysite.com | US | New York City | f | | | | | | mirror.datacenter.by | t | 104857600 | 38 | -97 | 2021-02-06 17:49:26.8
32893+01
nl.hideproxy.me | NL | Amsterdam | f | | | | | | distrib-coffee.ipsl.jussieu.fr | t | 104857600 | 52.5 | 5.75 | 2021-02-06 17:50:47.8
559+01
websiteproxy.net | GB | London | f | | | | | | mageia.jameswhitby.net | t | 10737418240 | 54 | -2 | 2021-02-06 17:56:50.1
95975+01
us1.proxysite.xyz | US | New York | f | | | | | | nl.hideproxy.me | t | | 38 | -97 | 2021-02-06 17:59:20.8
09293+01
us8.freeproxy.win | AQ | Antartica | f | | | | | | distro.ibiblio.org | t | 2147483648 | 12 | 12 | 2021-02-06 18:02:50.2
15639+01
us8.webproxy.best | VG | Hokoko | f | | | | | | mirror.freedif.org | t | 1073741824 | 50 | 23 | 2021-02-06 18:05:18.5
27378+01
(6 rows)
mirrors=> delete from hosts where hostname like '%proxy%';
DELETE 6CC:
(none) =>
pterjan There were 2 more:
mirrors=> SELECT * FROM hosts WHERE added > TO_TIMESTAMP('2021-02-06', 'YYYY-MM-DD');
hostname | country | city | readonly | infourl | hostby | sponsorurl | comment | contact | syncfrom | public | bandwidth | latitude | longitude | added
--------------------------+---------+-----------+----------+---------+--------+------------+---------+---------+-------------------------+--------+------------+----------+-----------+----------------------------
---
us.hidester.com | DZ | Hong Kong | f | | | | | | fr2.rpmfind.net | t | 1073741824 | 32 | 21 | 2021-02-06 17:54:04.798602+
01
us8.unblockyoutube.video | BM | Bermuda | f | | | | | | mirror.softiternity.com | t | | 73 | 19 | 2021-02-06 18:07:15.98535+0
1
(2 rows)
I think we should disable the uncontrolled adding of mirrors atleast until we have some better verification in place. and just add a note about mailing a request for adding mirror so it can be verified... iirc gcc mirrors hit a similar issue some years back when some autoparts company ... Looking at the url validation code, it tries to download it and is happy it it succeeds, whatever the content is :( (In reply to Thomas Backlund from comment #6) > I think we should disable the uncontrolled adding of mirrors atleast until > we have some better verification in place. I agree. Else it's too easy to use it to distribute illegal content or malwares. https://mirrors.mageia.org/mirrors/mirror.adminbannok.com doesn't work either. When you click the link to the distribution, it says that the connection fails. https://mirrors.mageia.org/mirrors/aglae.biomedicale.univ-paris5.fr requires a login and password. https://mirrors.mageia.org/mirrors/mirror.atlanta.delimiter.com also doesn't work at all. I didn't check the other mirrors. CC:
(none) =>
LpSolit (In reply to Frédéric "LpSolit" Buclin from comment #8) > (In reply to Thomas Backlund from comment #6) > > I think we should disable the uncontrolled adding of mirrors atleast until > > we have some better verification in place. > > I agree. Else it's too easy to use it to distribute illegal content or > malwares. > > https://mirrors.mageia.org/mirrors/mirror.adminbannok.com doesn't work > either. When you click the link to the distribution, it says that the > connection fails. > fails here too. > https://mirrors.mageia.org/mirrors/aglae.biomedicale.univ-paris5.fr requires > a login and password. > this one works here... > https://mirrors.mageia.org/mirrors/mirror.atlanta.delimiter.com also doesn't > work at all. > dont seem to work here either (In reply to Thomas Backlund from comment #9) > > https://mirrors.mageia.org/mirrors/aglae.biomedicale.univ-paris5.fr requires > > a login and password. > > > > this one works here... https://aglae.biomedicale.univ-paris5.fr/ doesn't ask you for a login and a password? (In reply to Frédéric "LpSolit" Buclin from comment #10) > (In reply to Thomas Backlund from comment #9) > > > https://mirrors.mageia.org/mirrors/aglae.biomedicale.univ-paris5.fr requires > > > a login and password. > > > > > > > this one works here... > > https://aglae.biomedicale.univ-paris5.fr/ doesn't ask you for a login and a > password? https does, not http :) We should forbird unsecure connections (http ones) IMHO; https only. Mageia is no longer on https://mirrors.mageia.org/mirrors/mirror.netcologne.de, see https://mirror.netcologne.de/. A huge cleanup would be useful, IMO. :) (In reply to Aurelien Oudelet from comment #14) > In France, http://ftp.free.fr/mirrors/mageia.org/distrib/ is in http... It's time for Free to secure their connections. ;) why ? just because something is served over https does not guarantee the contents are ok... that's just an illusion introduced by "security experts"... it's the same as with the clueless mantra that everyhing should be served over https or "downgraded by search engines..." that means that if people for example trust everything on a news site, just because the browser says the page is secure ... they are already screwed... an old city official I know used all the _way_ back in 80:ies when people asked him "have you heard/seen..." he replied: "is it true, or did you read it in the newspaper"... nowdays that would also be s/in the newspaper/on the internet/... (In reply to Thomas Backlund from comment #16) > why ? > > just because something is served over https does not guarantee the contents > are ok... I never said the content was trusted. I talked about secure connections. Not the same thing. (In reply to Frédéric "LpSolit" Buclin from comment #17) > (In reply to Thomas Backlund from comment #16) > > why ? > > > > just because something is served over https does not guarantee the contents > > are ok... > > I never said the content was trusted. I talked about secure connections. Not > the same thing. what does a secure connection give you if you dont trust the content ? and the thing I questioned is "We should forbird unsecure connections"... at this point it does not gain us anything than less mirror count... A secure connection provides no additional benefits, since the rpm packages and iso images are all gpg signed. Closing this bug as the proxy spam sites are no longer listed in http://mirrors.mageia.org/ While securing the mirror management does need to be taken care of, that should be in a new bug report. Resolution:
(none) =>
FIXED Wow! happy to see that my report take this to light (In reply to katnatek from comment #20) > Wow! happy to see that my report take this to light Thanks for reporting it. As I normally use a specific mirror myself, I would not have noticed it. While the procedures for adding new mirrors still has to be properly secured, those mirrors have been removed, and I'll be keeping an eye on the list until the procedures are secured. |