[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252



Hello Patrick!

You may download the new package
http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.4_amd64.deb
(for amd64)
and check its checksum
https://packages.debian.org/jessie/amd64/apt/download

$ sha256sum apt_1.0.9.8.4_amd64.deb

f40e51afbbcf2b1e23442c4c3df064a02ddc27bdfbfb155839577dcb1dedb74a


All the best to you!


Idézem/Quoting Patrick Schleizer <adrelanos@riseup.net>:

TLDR:
Is it possible to disable InRelease processing by apt-get?


Long:

Very short summary of the bug:
(my own words) During apt-get upgrading signature verification can be
tricked resulting in arbitrary package installation, system compromise.

sources:

- https://security-tracker.debian.org/tracker/CVE-2016-1252
- https://www.debian.org/security/2016/dsa-3733
- https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467

How to upgrade from the insecure apt-get version 1.0.9.8.3 to the
patched apt-get version 1.0.9.8.4 without being compromised during that
upgrade?

Is it possible to disable InRelease processing by apt-get [for that
upgrade or generally]? And have it check Release.gpg (which is provided
anyway) instead?



SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
--
+36-20-4242498  sms@szepe.net  skype: szepe.viktor
Budapest, III. kerület





Reply to: