[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 1637-1] apt security update (amended)

Would it be best practice to disable HTTP connections for apt and is
the latter even possible?

Thank you

On Tue, Jan 22, 2019 at 9:55 AM Julian Andres Klode <jak@debian.org> wrote:
>
> Package        : apt
> Version        : 1.0.9.8.5
> CVE ID         : CVE-2019-3462
> Debian Bug     :
>
> (amended to refer to jessie in the sources.list entry below, instead of
>  stable)
>
> Max Justicz discovered a vulnerability in APT, the high level package manager.
> The code handling HTTP redirects in the HTTP transport method doesn't properly
> sanitize fields transmitted over the wire. This vulnerability could be used by
> an attacker located as a man-in-the-middle between APT and a mirror to inject
> malicous content in the HTTP connection. This content could then be recognized
> as a valid package by APT and used later for code execution with root
> privileges on the target machine.
>
> Since the vulnerability is present in the package manager itself, it is
> recommended to disable redirects in order to prevent exploitation during this
> upgrade only, using:
>
>  apt -o Acquire::http::AllowRedirect=false update
>  apt -o Acquire::http::AllowRedirect=false upgrade
>
> This is known to break some proxies when used against security.debian.org. If
> that happens, people can switch their security APT source to use:
>
>  deb http://cdn-fastly.deb.debian.org/debian-security jessie/updates main
>
> For Debian 8 "Jessie", this problem has been fixed in version
> 1.0.9.8.5.
>
> We recommend that you upgrade your apt packages.
>
> Specific upgrade instructions:
>
> If upgrading using APT without redirect is not possible in your situation, you
> can manually download the files (using wget/curl) for your architecture using
> the URL provided below, verifying that the hashes match. Then you can install
> them using dpkg -i.
>
> Architecture independent files:
>
> http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-doc_1.0.9.8.5_all.deb
>         Size/SHA256 checksum:    301106 47df9567e45fadcd2a56c0fd3d514d8136f2f206aa7baa47405c6fcb94824ab6
> http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-doc_1.0.9.8.5_all.deb
>         Size/SHA256 checksum:    750506 ce79b2ef272716b8da11f3fd0497ce0b7ee69c9c66d01669e8abbbfdde5e6256
>
> amd64 architecture:
>
> http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_amd64.deb
>         Size/SHA256 checksum:    792126 295d9c69854a4cfbcb46001b09b853f5a098a04c986fc5ae01a0124c1c27e6bd
> http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-inst1.5_1.0.9.8.5_amd64.deb
>         Size/SHA256 checksum:    168896 f9615532b1577b3d1455fa51839ce91765f2860eb3a6810fb5e0de0c87253030
> http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_amd64.deb
>         Size/SHA256 checksum:   1109308 4078748632abc19836d045f80f9d6933326065ca1d47367909a0cf7f29e7dfe8
> http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-dev_1.0.9.8.5_amd64.deb
>         Size/SHA256 checksum:    192950 09ef86d178977163b8cf0081d638d74e0a90c805dd77750c1d91354b6840b032
> http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-utils_1.0.9.8.5_amd64.deb
>         Size/SHA256 checksum:    368396 87c55d9ccadcabd59674873c221357c774020c116afd978fb9df6d2d0303abf2
> http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-transport-https_1.0.9.8.5_amd64.deb
>         Size/SHA256 checksum:    137230 f5a17422fd319ff5f6e3ea9a9e87d2508861830120125484130da8c1fd479df2
>
> armel architecture:
>
> http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_armel.deb
>         Size/SHA256 checksum:    717002 80fe021d87f2444abdd7c5491e7a4bf9ab9cb2b8e6fa72d308905f4e0aad60d4
> http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-inst1.5_1.0.9.8.5_armel.deb
>         Size/SHA256 checksum:    166784 046fb962fa214c5d6acfb7344e7719f8c4898d87bf29ed3cd2115e3f6cdd14e9
> http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_armel.deb
>         Size/SHA256 checksum:   1067404 f9a257d6aace1f222633e0432abf1d6946bad9dbd0ca18dccb288d50f17b895f
> http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-dev_1.0.9.8.5_armel.deb
>         Size/SHA256 checksum:    193768 4cb226f55132a68a2f5db925ada6147aaf052adb02301fb45fb0c2d1cfce36f0
> http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-utils_1.0.9.8.5_armel.deb
>         Size/SHA256 checksum:    353178 38042838d8bc79642e5389be7d2d2d967cbf316805d4c8c2d6afbe1bc164aacc
> http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-transport-https_1.0.9.8.5_armel.deb
>         Size/SHA256 checksum:    134932 755b6d22f5914f3153a1c15427e5221507b174c0a4c6b860ebd16234c9e9a146
>
> armhf architecture:
>
> http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_armhf.deb
>         Size/SHA256 checksum:    734302 0f48f6d0406afdf0bd4d39e90e56460fab3d9b5fa4c91e2dca78ec22caf2fe2a
> http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-inst1.5_1.0.9.8.5_armhf.deb
>         Size/SHA256 checksum:    166556 284a1ffd529e1daab3c300be17a20f11450555be9c0af166d9796c18147a03ba
> http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_armhf.deb
>         Size/SHA256 checksum:   1078212 08d85c30c8e4a6df0dced8e232a6c7639caa231acef4af8fdee2c1e07f0178ba
> http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-dev_1.0.9.8.5_armhf.deb
>         Size/SHA256 checksum:    193796 3a26bd79677b46ce0a992e2ac808c4bbd2d5b3fc37b57fc93c8efa114de1adaa
> http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-utils_1.0.9.8.5_armhf.deb
>         Size/SHA256 checksum:    357074 19dec9ffc0fe4a86d6e61b5213e75c55ae6aaade6f3804f90e2e4034bbdc44d8
> http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-transport-https_1.0.9.8.5_armhf.deb
>         Size/SHA256 checksum:    135072 06ba556c5218e58fd14119e3b08a08f685209a0cbe09f2328bd572cabc580bca
>
> i386 architecture:
>
> http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_i386.deb
>         Size/SHA256 checksum:    800840 201b6cf4625ed175e6a024ac1f7ca6c526ca79d859753c125b02cd69e26c349d
> http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-inst1.5_1.0.9.8.5_i386.deb
>         Size/SHA256 checksum:    170484 5791661dd4ade72b61086fefdc209bd1f76ac7b7c812d6d4ba951b1a6232f0b9
> http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_i386.deb
>         Size/SHA256 checksum:   1110418 13c230e9c544b1e67a8da413046bf1728526372170533b1a23e70cc99c40a228
> http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-dev_1.0.9.8.5_i386.deb
>         Size/SHA256 checksum:    193780 c5b1bfa913ea2e2e332c228f5c5fe4dbc11ab334d0551a68ba6e87e94a51ffee
> http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-utils_1.0.9.8.5_i386.deb
>         Size/SHA256 checksum:    371218 1a74b12c8bb6b3968a721f3aa96739073e4fe2ced9302792c533e21535bc9cf4
> http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-transport-https_1.0.9.8.5_i386.deb
>         Size/SHA256 checksum:    139036 32148d92914a97df8bbb9f223e788dcbc7c39e570cf48e6759cb483a65b68666
>
> Further information about Debian LTS security advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://wiki.debian.org/LTS
>
> --
> debian developer - deb.li/jak | jak-linux.org - free software dev
> ubuntu core developer                              i speak de, en
Reply to: