Last active
May 26, 2024 03:45
-
-
Save eighthave/7285154 to your computer and use it in GitHub Desktop.
Script to find official Debian mirrors that support HTTPS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import urllib.request | |
| import re | |
| import ssl | |
| import sys | |
| # # find generic mirrors | |
| mirrors = urllib.request.urlopen('http://www.debian.org/mirror/list') | |
| https = [] | |
| for line in mirrors.readlines(): | |
| m = re.match(b'.*<td valign="top"><a rel="nofollow" href="http(.*)">.*', line) | |
| if m: | |
| url = 'https' + m.group(1).decode() | |
| print('trying: %s...' % url) | |
| sys.stdout.flush() | |
| try: | |
| response=urllib.request.urlopen(url, timeout=1) | |
| https.append(url) | |
| print('success!') | |
| except urllib.request.URLError as err: | |
| print('fail!') | |
| except ssl.SSLError as err: | |
| print('bad SSL!') | |
| except: | |
| print('bad stuff!!!') | |
| # print('HTTPS apt repos:' | |
| #for url in https: | |
| # print(url) | |
| # # find security mirrors | |
| mirrors = urllib.request.urlopen('http://www.debian.org/mirror/list-full') | |
| securitys = [] | |
| for line in mirrors.readlines(): | |
| m = re.match(b'.*</tt><br>Security updates over HTTP: <tt><a rel="nofollow" href="http(.*)">.*/debian-security/</a>.*', line) | |
| if m: | |
| url = 'https' + m.group(1).decode() | |
| print('trying: %s...' % url) | |
| sys.stdout.flush() | |
| try: | |
| response=urllib.request.urlopen(url, timeout=1) | |
| securitys.append(url) | |
| print('success!') | |
| except urllib.request.URLError as err: | |
| print('fail!') | |
| except ssl.SSLError as err: | |
| print('bad SSL!') | |
| # print('HTTPS security repos:' | |
| # for url in securitys: | |
| # print(url) | |
| # now find the backports mirrors | |
| try: | |
| mirrors = urllib.request.urlopen('http://backports-master.debian.org/Mirrors/') | |
| except: | |
| print('URL open failed!!!') | |
| backports = [] | |
| for line in mirrors.readlines(): | |
| #<td><a href="http://be.mirror.eurid.eu/debian-backports/">/debian-backports/</a> | |
| m = re.match(b'.*<td><a href="http(.*)">.*/debian-backports/</a>.*', line) | |
| if m: | |
| url = 'https' + m.group(1).decode() | |
| print('trying: %s...' % url) | |
| sys.stdout.flush() | |
| try: | |
| response=urllib.request.urlopen(url, timeout=1) | |
| backports.append(url) | |
| print('success!') | |
| except urllib.request.URLError as err: | |
| print('fail!') | |
| except ssl.SSLError as err: | |
| print('bad SSL!') | |
| #print('HTTPS backports repos:' | |
| #for url in backports: | |
| # print(url) | |
| # now find the CD image mirrors | |
| mirrors = urllib.request.urlopen('http://www.debian.org/CD/http-ftp/') | |
| cds = [] | |
| for line in mirrors.readlines(): | |
| # <a rel="nofollow" href="http://mirror.easyspeedy.com/debian-cd/">HTTP</a></li> | |
| m = re.match(b'.*<a rel="nofollow" href="http(:.*)">HTTP</a></li>.*', line) | |
| if m: | |
| url = 'https' + m.group(1).decode() | |
| print('trying: %s...' % url) | |
| sys.stdout.flush() | |
| try: | |
| response=urllib.request.urlopen(url, timeout=1) | |
| cds.append(url) | |
| print('success!') | |
| except urllib.request.URLError as err: | |
| print('fail!') | |
| except ssl.SSLError as err: | |
| print('bad SSL!') | |
| except: | |
| print('bad stuff!') | |
| print('HTTPS CD image repos:') | |
| for url in cds: | |
| print(url) | |
| # now write everything to a file | |
| dst_filename='/tmp/https-debian-archives.txt' | |
| f = open(dst_filename, 'w') | |
| print('Outputfile: "%s"' % dst_filename) | |
| f.write('HTTPS apt repos\n') | |
| f.write('---------------\n') | |
| for url in https: | |
| f.write(url + '\n') | |
| f.write('\n\nHTTPS security repos\n') | |
| f.write('---------------\n') | |
| for url in securitys: | |
| f.write(url + '\n') | |
| f.write('\n\nHTTPS backports repos\n') | |
| f.write('--------------------\n') | |
| for url in backports: | |
| f.write(url + '\n') | |
| f.write('\n\nHTTPS CD image repos\n') | |
| f.write('--------------------\n') | |
| for url in cds: | |
| f.write(url + '\n') | |
| f.close() |
CVE-2019-3462 : Remote Code Execution in apt/apt-get
Supporting http is fine. I just think it’s worth making https repositories the default – the safer default – and allowing users to downgrade their security at a later time if they choose to do so. I wouldn’t have been able to exploit the Dockerfile at the top of this post if the default package servers had been using https.
sources:
https://justi.cz/security/2019/01/22/apt-rce.html
https://www.debian.org/security/2019/dsa-4371
@tryingsomestuff @dkg Here is the full output of the Python script, filtered by mirrors that were reachable via HTTPS:
https://debian.unnoba.edu.ar/debian/
https://mirror.aarnet.edu.au/debian/
https://debian.anexia.at/debian/
https://ftp.tu-graz.ac.at/mirror/debian/
https://mirror.internex.at/debian/
https://mirror.datacenter.by/debian/
https://ftp.belnet.be/debian/
https://mirror.as35701.net/debian/
https://repositorio.nti.ufal.br/debian/
https://debian.ludost.net/debian/
https://ftp.uni-sofia.bg/debian/
https://debian.ca-west.mirror.fullhost.com/debian/
https://mirror.csclub.uwaterloo.ca/debian/
https://mirrors.163.com/debian/
https://mirrors.tuna.tsinghua.edu.cn/debian/
https://mirrors.ustc.edu.cn/debian/
https://mirrors.ucr.ac.cr/debian/
https://ftp.debian.cz/debian/
https://ftp.sh.cvut.cz/debian/
https://ftp.zcu.cz/debian/
https://merlin.fit.vutbr.cz/debian/
https://mirror.dkm.cz/debian/
https://mirror.one.com/debian/
https://mirrors.dotsrc.org/debian/
https://debian.ues.edu.sv/debian/
https://ftp.eenet.ee/debian/
https://debian.mirror.ate.info/
https://ftp.lip6.fr/pub/linux/distributions/debian/
https://ftp.u-strasbg.fr/debian/
https://mirror.plusserver.com/debian/debian/
https://mirrors.ircam.fr/pub/debian/
https://debian.grena.ge/debian/
https://artfiles.org/debian/
https://debian.charite.de/debian/
https://debian.inf.tu-dresden.de/debian/
https://debian.tu-bs.de/debian/
https://ftp.fau.de/debian/
https://ftp.halifax.rwth-aachen.de/debian/
https://ftp.mpi-sb.mpg.de/pub/linux/debian/
https://ftp.plusline.net/debian/
https://ftp-stud.hs-esslingen.de/debian/
https://ftp.tu-chemnitz.de/debian/
https://mirror.eu.oneandone.net/debian/
https://mirror.netcologne.de/debian/
https://mirror.wtnet.de/debian/
https://packages.hs-regensburg.de/debian/
https://mirror.xtom.com.hk/debian/
https://ftp.fsn.hu/debian/
https://debian.simnet.is/debian/
https://mirror.isoc.org.il/pub/debian/
https://debian.mirror.garr.it/debian/
https://ftp.linux.it/debian/
https://dennou-k.gfd-dennou.org/debian/
https://dennou-q.gfd-dennou.org/debian/
https://ftp.jaist.ac.jp/debian/
https://ftp.yz.yamagata-u.ac.jp/debian/
https://mirror.hoster.kz/debian/
https://mirror.ps.kz/debian/
https://debian.mirror.liquidtelecom.com/debian/
https://ftp.harukasan.org/debian/
https://ftp.lanet.kr/debian/
https://debian.koyanet.lv/debian/
https://mirror.litnet.lt/debian/
https://debmirror.tuxis.nl/debian/
https://ftp.nluug.nl/debian/
https://mirror.i3d.net/pub/debian/
https://mirror.neostrada.nl/debian/
https://mirror.nforce.com/debian/
https://mirror.nl.datapacket.com/debian/
https://mirror.novg.net/debian/
https://mirror.serverius.net/debian/
https://mirror.vpgrp.io/debian/
https://mirror.fsmg.org.nz/debian/
https://mirror.pregi.net/debian/
https://ftp.icm.edu.pl/pub/Linux/debian/
https://ftp.eq.uc.pt/software/Linux/debian/
https://ftp.rnl.tecnico.ulisboa.pt/pub/debian/
https://mirrors.up.pt/debian/
https://mirrors.nav.ro/debian/
https://mirrors.nxthost.com/debian/
https://mirrors.pidginhost.com/debian/
https://ftp.psn.ru/debian/
https://mirror.corbina.net/debian/
https://mirror.0x.sg/debian/
https://ftp.arnes.si/debian/
https://debian.redimadrid.es/debian/
https://debian.redparra.com/debian/
https://ftp.caliu.cat/debian/
https://ftp.cica.es/debian/
https://ftp.acc.umu.se/debian/
https://mirror.linux.pizza/debian/
https://mirror.zetup.net/debian/
https://debian.ethz.ch/debian/
https://mirror.init7.net/debian/
https://mirror.iway.ch/debian/
https://mirror.sinavps.ch/debian/
https://pkg.adfinis-sygroup.ch/debian/
https://debian.csie.ntu.edu.tw/debian/
https://ftp.ntou.edu.tw/debian/
https://mirror.applebred.net/debian/
https://mirror.kku.ac.th/debian/
https://ftp.metu.edu.tr/debian/
https://debian.volia.net/debian/
https://debian.mirror.uk.sargasso.net/debian/
https://mirror.bytemark.co.uk/debian/
https://mirror.mythic-beasts.com/debian/
https://mirror.sax.uk.as61049.net/debian/
https://mirrorservice.org/sites/ftp.debian.org/debian/
https://mirror.sucs.swan.ac.uk/pub/linux/debian/
https://mirror.vorboss.net/debian/
https://debian.osuosl.org/debian/
https://mirror.hmc.edu/debian/
https://mirror.math.princeton.edu/pub/debian/
https://mirrors.bloomu.edu/debian/
https://mirrors.cat.pdx.edu/debian/
https://mirrors.edge.kernel.org/debian/
https://mirrors.gigenet.com/debian/
https://mirror.sjc02.svwh.net/debian/
https://mirrors.lug.mtu.edu/debian/
https://mirrors.namecheap.com/debian/
https://mirrors.ocf.berkeley.edu/debian/
https://mirrors.syringanetworks.net/debian/
https://mirror.steadfast.net/debian/
https://mirrors.wikimedia.org/debian/
https://mirrors.xmission.com/debian/
https://repo.cure.edu.uy/debian/
I forked this and made it asynchronous and parallel (for Python 3.7+): https://gist.github.com/HacKanCuBa/e3a998d68a82f81dbf11f2cce4f26d04
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@eighthave thanks for writing this! it would be great if you could publish the current results someplace. We should encourage more mirror operators to offer https.