Tweet
Phoronix: Debian 9.7 Released To Address APT Security Issue
Debian 9.7 is out today as an emergency release for the project...
Debian 9.7 is out today as an emergency release for the project...
-
-
They should use TLS for the connections too and use dane on the package server domains as additional protectiob -
My understanding is that APT allows to download from HTTP, but that's all right cause they check the signature of the packages. This avoids the penalty associated with HTTPS.Originally posted by bemerk View PostComment
-
TLS is problematic when using a proxy to cache package downloads.Originally posted by bemerk View PostComment
-
Anyone understand how an attack like this works? So what if content is injected in to the HTTP stream. That's ALWAYS a possibility regardless of redirection bugs. Isn't the deb package verified after download?
Edit:
Never mind. I found the original source of the bug. I understand how it works now. Wow... that's nasty. I wonder how long this has been used to hack machines running updates over proxies (eg. things like Tor).
Last edited by linner; 23 January 2019, 07:34 PM.Comment
-
That's just for stable though. Does the issue affect testing and unstable as well?Comment
-
Affected were any currently supported Debian 7, 8, 9 and 10. So users of stable, testing, unstable, lts, elts... they all recieved update for this.Originally posted by carewolf View Post
It is just that current release take a note (and here updated installer too) as that is most in use, so hot spot
On existing installations Debian 9 users get this update week ago really, so here news is just updated installer too 
Last edited by dungeon; 24 January 2019, 07:17 AM.Comment
-
Hmm, I just don't see it in the changelog or see any security updates for testing.Originally posted by dungeon View Post
Affected were any currently supported Debian 7, 8, 9 and 10. So users of stable, testing, unstable, lts, elts... they all recieved update for this.
It is just that current release take a note (and here updated installer too) as that is most in use, so hot spot On existing installations Debian 9 users get this update week ago really, so here news is just updated installer too Comment
-
Run:Originally posted by carewolf View Post
Or you could use 'apt show apt' too if you likeCode:apt policy apt
. And see if you have point one installed - this 1.8.0~alpha3.1 ? DSA-4371-1 or CVE-2019-3462 same thing:
Run:
To read changelog. So, this should be at the top:Code:apt changelog apt
Same like you can see on the webapt (1.8.0~alpha3.1) unstable; urgency=emergency * SECURITY UPDATE: content injection in http method (CVE-2019-3462) (LP: #1812353) -- Julian Andres Klode <[email protected]> Tue, 22 Jan 2019 19:52:38 +0100
Last edited by dungeon; 24 January 2019, 09:53 AM.Comment
-
Okay, I had 1.8~beta1.Originally posted by dungeon View Post
Run:
Or you could use 'apt show apt' too if you likeCode:apt policy apt
. And see if you have point one installed - this 1.8.0~alpha3.1 ? DSA-4371-1 or CVE-2019-3462 same thing:
Run:
To read changelog. So, this should be at the top:Code:apt changelog apt
Same like you can see on the web
https://packages.debian.org/buster/aptComment
Comment