Announcement

Collapse
No announcement yet.

Debian 9.7 Released To Address APT Security Issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Debian 9.7 Released To Address APT Security Issue

    Phoronix: Debian 9.7 Released To Address APT Security Issue

    Debian 9.7 is out today as an emergency release for the project...

    http://www.phoronix.com/scan.php?pag...n-9.7-Released

  • #2
    They should use TLS for the connections too and use dane on the package server domains as additional protectiob

    Comment


    • #3
      Originally posted by bemerk View Post
      They should use TLS for the connections too and use dane on the package server domains as additional protectiob
      My understanding is that APT allows to download from HTTP, but that's all right cause they check the signature of the packages. This avoids the penalty associated with HTTPS.

      Comment


      • #4
        Originally posted by bemerk View Post
        They should use TLS for the connections too and use dane on the package server domains as additional protectiob
        TLS is problematic when using a proxy to cache package downloads.

        Comment


        • #5
          Anyone understand how an attack like this works? So what if content is injected in to the HTTP stream. That's ALWAYS a possibility regardless of redirection bugs. Isn't the deb package verified after download?

          Edit:
          Never mind. I found the original source of the bug. I understand how it works now. Wow... that's nasty. I wonder how long this has been used to hack machines running updates over proxies (eg. things like Tor).
          https://justi.cz/security/2019/01/22/apt-rce.html
          Last edited by linner; 01-23-2019, 07:34 PM.

          Comment


          • #6
            That's just for stable though. Does the issue affect testing and unstable as well?

            Comment


            • #7
              Originally posted by carewolf View Post
              That's just for stable though. Does the issue affect testing and unstable as well?
              Affected were any currently supported Debian 7, 8, 9 and 10. So users of stable, testing, unstable, lts, elts... they all recieved update for this.

              It is just that current release take a note (and here updated installer too) as that is most in use, so hot spot On existing installations Debian 9 users get this update week ago really, so here news is just updated installer too
              Last edited by dungeon; 01-24-2019, 07:17 AM.

              Comment


              • #8
                Originally posted by dungeon View Post

                Affected were any currently supported Debian 7, 8, 9 and 10. So users of stable, testing, unstable, lts, elts... they all recieved update for this.

                It is just that current release take a note (and here updated installer too) as that is most in use, so hot spot On existing installations Debian 9 users get this update week ago really, so here news is just updated installer too
                Hmm, I just don't see it in the changelog or see any security updates for testing.

                Comment


                • #9
                  Originally posted by carewolf View Post

                  Hmm, I just don't see it in the changelog or see any security updates for testing.
                  Run:

                  Code:
                  apt policy apt
                  Or you could use 'apt show apt' too if you like . And see if you have point one installed - this 1.8.0~alpha3.1 ? DSA-4371-1 or CVE-2019-3462 same thing:

                  Run:

                  Code:
                  apt changelog apt
                  To read changelog. So, this should be at the top:

                  apt (1.8.0~alpha3.1) unstable; urgency=emergency * SECURITY UPDATE: content injection in http method (CVE-2019-3462) (LP: #1812353) -- Julian Andres Klode <[email protected]> Tue, 22 Jan 2019 19:52:38 +0100
                  Same like you can see on the web

                  https://packages.debian.org/buster/apt
                  Last edited by dungeon; 01-24-2019, 09:53 AM.

                  Comment


                  • #10
                    Originally posted by dungeon View Post

                    Run:

                    Code:
                    apt policy apt
                    Or you could use 'apt show apt' too if you like . And see if you have point one installed - this 1.8.0~alpha3.1 ? DSA-4371-1 or CVE-2019-3462 same thing:

                    Run:

                    Code:
                    apt changelog apt
                    To read changelog. So, this should be at the top:



                    Same like you can see on the web

                    https://packages.debian.org/buster/apt
                    Okay, I had 1.8~beta1.

                    Comment

                    Working...
                    X