[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 4371-1] apt security update

On Tue, Jan 22, 2019 at 01:44:12PM +0000, Ben Hutchings wrote:
> On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote:
> > -------------------------------------------------------------------------
> > Debian Security Advisory DSA-4371-1                   security@debian.org
> > https://www.debian.org/security/                        Yves-Alexis Perez
> > January 22, 2019                      https://www.debian.org/security/faq
> > -------------------------------------------------------------------------
> > 
> > Package        : apt
> > CVE ID         : CVE-2019-3462
> > 
> > Max Justicz discovered a vulnerability in APT, the high level package manager.
> > The code handling HTTP redirects in the HTTP transport method doesn't properly
> > sanitize fields transmitted over the wire. This vulnerability could be used by
> > an attacker located as a man-in-the-middle between APT and a mirror to inject
> > malicous content in the HTTP connection. This content could then be recognized
> > as a valid package by APT and used later for code execution with root
> > privileges on the target machine.
> [...]
> 
> This presumably needs to be fixed for jessie LTS as well, and I see
> Chris Lamb has claimed it.

Julian has already uploaded a fixed package, this only needs the DLA mail at this
point.

Cheers,
        Moritz
Reply to: