On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote: > ------------------------------------------------------------------------- > Debian Security Advisory DSA-4371-1 security@debian.org > https://www.debian.org/security/ Yves-Alexis Perez > January 22, 2019 https://www.debian.org/security/faq > ------------------------------------------------------------------------- > > Package : apt > CVE ID : CVE-2019-3462 > > Max Justicz discovered a vulnerability in APT, the high level package manager. > The code handling HTTP redirects in the HTTP transport method doesn't properly > sanitize fields transmitted over the wire. This vulnerability could be used by > an attacker located as a man-in-the-middle between APT and a mirror to inject > malicous content in the HTTP connection. This content could then be recognized > as a valid package by APT and used later for code execution with root > privileges on the target machine. [...] This presumably needs to be fixed for jessie LTS as well, and I see Chris Lamb has claimed it. However, APT is used during initial installation and we don't have any provision for updating installer images during LTS. So we're either going to have to revisit that or come up with some kind of workaround for installation time. Ben. -- Ben Hutchings Power corrupts. Absolute power is kind of neat. - John Lehman
Attachment:
signature.asc
Description: This is a digitally signed message part