Re: [SECURITY] [DSA 4371-1] apt security update
On Tue, Jan 22, 2019 at 01:44:12PM +0000, Ben Hutchings wrote:
>On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote:
>> -------------------------------------------------------------------------
>> Debian Security Advisory DSA-4371-1 security@debian.org
>> https://www.debian.org/security/ Yves-Alexis Perez
>> January 22, 2019 https://www.debian.org/security/faq
>> -------------------------------------------------------------------------
>>
>> Package : apt
>> CVE ID : CVE-2019-3462
>>
>> Max Justicz discovered a vulnerability in APT, the high level package manager.
>> The code handling HTTP redirects in the HTTP transport method doesn't properly
>> sanitize fields transmitted over the wire. This vulnerability could be used by
>> an attacker located as a man-in-the-middle between APT and a mirror to inject
>> malicous content in the HTTP connection. This content could then be recognized
>> as a valid package by APT and used later for code execution with root
>> privileges on the target machine.
>[...]
>
>This presumably needs to be fixed for jessie LTS as well, and I see
>Chris Lamb has claimed it.
>
>However, APT is used during initial installation and we don't have any
>provision for updating installer images during LTS. So we're either
>going to have to revisit that or come up with some kind of workaround
>for installation time.
I can help with new jessie installation images, but it'll need a bit
of prep work. debian-cd doesn't pull from security or lts by default.
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"Managing a volunteer open source project is a lot like herding
kittens, except the kittens randomly appear and disappear because they
have day jobs." -- Matt Mackall
Reply to: