[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 4371-1] apt security update



On Tue, 2019-01-22 at 13:50 +0000, Steve McIntyre wrote:
> On Tue, Jan 22, 2019 at 01:44:12PM +0000, Ben Hutchings wrote:
> > On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote:
> > > -------------------------------------------------------------------------
> > > Debian Security Advisory DSA-4371-1                   security@debian.org
> > > https://www.debian.org/security/                        Yves-Alexis Perez
> > > January 22, 2019                      https://www.debian.org/security/faq
> > > -------------------------------------------------------------------------
> > > 
> > > Package        : apt
> > > CVE ID         : CVE-2019-3462
> > > 
> > > Max Justicz discovered a vulnerability in APT, the high level package manager.
> > > The code handling HTTP redirects in the HTTP transport method doesn't properly
> > > sanitize fields transmitted over the wire. This vulnerability could be used by
> > > an attacker located as a man-in-the-middle between APT and a mirror to inject
> > > malicous content in the HTTP connection. This content could then be recognized
> > > as a valid package by APT and used later for code execution with root
> > > privileges on the target machine.
> > [...]
> > 
> > This presumably needs to be fixed for jessie LTS as well, and I see
> > Chris Lamb has claimed it.
> > 
> > However, APT is used during initial installation and we don't have any
> > provision for updating installer images during LTS.  So we're either
> > going to have to revisit that or come up with some kind of workaround
> > for installation time.
> 
> I can help with new jessie installation images, but it'll need a bit
> of prep work. debian-cd doesn't pull from security or lts by default.

Would it be any easier to stick with oldstable as a base and explicitly
replace specific packages?

Ben.

-- 
Ben Hutchings
The most exhausting thing in life is being insincere.
                                                 - Anne Morrow Lindberg

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: