On Tue, 2019-01-22 at 13:50 +0000, Steve McIntyre wrote:
> On Tue, Jan 22, 2019 at 01:44:12PM +0000, Ben Hutchings wrote:
> > On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote:
> > > -------------------------------------------------------------------------
> > > Debian Security Advisory DSA-4371-1 security@debian.org
> > > https://www.debian.org/security/ Yves-Alexis Perez
> > > January 22, 2019 https://www.debian.org/security/faq
> > > -------------------------------------------------------------------------
> > >
> > > Package : apt
> > > CVE ID : CVE-2019-3462
> > >
> > > Max Justicz discovered a vulnerability in APT, the high level package manager.
> > > The code handling HTTP redirects in the HTTP transport method doesn't properly
> > > sanitize fields transmitted over the wire. This vulnerability could be used by
> > > an attacker located as a man-in-the-middle between APT and a mirror to inject
> > > malicous content in the HTTP connection. This content could then be recognized
> > > as a valid package by APT and used later for code execution with root
> > > privileges on the target machine.
> > [...]
> >
> > This presumably needs to be fixed for jessie LTS as well, and I see
> > Chris Lamb has claimed it.
> >
> > However, APT is used during initial installation and we don't have any
> > provision for updating installer images during LTS. So we're either
> > going to have to revisit that or come up with some kind of workaround
> > for installation time.
>
> I can help with new jessie installation images, but it'll need a bit
> of prep work. debian-cd doesn't pull from security or lts by default.
Would it be any easier to stick with oldstable as a base and explicitly
replace specific packages?
Ben.
--
Ben Hutchings
The most exhausting thing in life is being insincere.
- Anne Morrow Lindberg
Attachment:
signature.asc
Description: This is a digitally signed message part