Announcement

Collapse
No announcement yet.

Debian 9.7 Released To Address APT Security Issue

Collapse
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
  • dungeon
    replied
    Originally posted by carewolf View Post
    That's just for stable though. Does the issue affect testing and unstable as well?
    Affected were any currently supported Debian 7, 8, 9 and 10. So users of stable, testing, unstable, lts, elts... they all recieved update for this.

    It is just that current release take a note (and here updated installer too) as that is most in use, so hot spot On existing installations Debian 9 users get this update week ago really, so here news is just updated installer too
    Last edited by dungeon; 24 January 2019, 07:17 AM.
    • Likes 1

    Leave a comment:

  • carewolf
    replied
    That's just for stable though. Does the issue affect testing and unstable as well?

    Leave a comment:

  • linner
    replied
    Anyone understand how an attack like this works? So what if content is injected in to the HTTP stream. That's ALWAYS a possibility regardless of redirection bugs. Isn't the deb package verified after download?

    Edit:
    Never mind. I found the original source of the bug. I understand how it works now. Wow... that's nasty. I wonder how long this has been used to hack machines running updates over proxies (eg. things like Tor).
    Remote Code Execution in apt/apt-get
    https://justi.cz/security/2019/01/22/apt-rce.html
    tl;dr I found a vulnerability in apt that allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code as root on a machine i...
    Last edited by linner; 23 January 2019, 07:34 PM.
    • Likes 4

    Leave a comment:

  • Mark Rose
    replied
    Originally posted by bemerk View Post
    They should use TLS for the connections too and use dane on the package server domains as additional protectiob
    TLS is problematic when using a proxy to cache package downloads.
    • Likes 2

    Leave a comment:

  • UlisesH
    replied
    Originally posted by bemerk View Post
    They should use TLS for the connections too and use dane on the package server domains as additional protectiob
    My understanding is that APT allows to download from HTTP, but that's all right cause they check the signature of the packages. This avoids the penalty associated with HTTPS.
    • Likes 4

    Leave a comment:

  • bemerk
    replied
    They should use TLS for the connections too and use dane on the package server domains as additional protectiob
    • Likes 1

    Leave a comment:

  • phoronix
    started a topic Debian 9.7 Released To Address APT Security Issue

    Debian 9.7 Released To Address APT Security Issue

    Phoronix: Debian 9.7 Released To Address APT Security Issue

    Debian 9.7 is out today as an emergency release for the project...

    Debian 9.7 Released To Address APT Security Issue - Phoronix
    http://www.phoronix.com/scan.php?page=news_item&px=Debian-9.7-Released
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
Previous 1 2 template Next
Working...
X