[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

not getting compromised while applying apt-get upgrade for CVE-2016-1252

Is it possible to disable InRelease processing by apt-get?


Very short summary of the bug:
(my own words) During apt-get upgrading signature verification can be
tricked resulting in arbitrary package installation, system compromise.


- https://security-tracker.debian.org/tracker/CVE-2016-1252
- https://www.debian.org/security/2016/dsa-3733
- https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467

How to upgrade from the insecure apt-get version to the
patched apt-get version without being compromised during that

Is it possible to disable InRelease processing by apt-get [for that
upgrade or generally]? And have it check Release.gpg (which is provided
anyway) instead?

Reply to: