Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
On Sat, 17 Dec 2016, Hans-Christoph Steiner wrote:
> One thing that would help a lot with future issues like this is to use
> only encrypted connections in /etc/apt/sources.list. That can be either
> HTTPS or a Tor Hidden Service .onion address. For in depth discussion
> of this, see:
You could bootstrap from one of the larger ISO media which have the
entire standard system and you can sha256sum easily, and install without
any networks connected.
Then, manually install the updated .deb packages using an USB pendrive
or something like that. You can also sha256sum these easily.
Then enable the network, and update the whole system as usual, and run
"tasksel" as root to ask for more package sets, etc.
It is worth notice all this crazy dance is going to become unnecessary
as soon as the next debian stable point release is issued [with an
updated installer image], and new install media are made available.
I will ask the stable release team to consider speeding up the next
Debian stable point-release timeframe based on this.
> https://guardianproject.info/2014/10/16/reducing-metadata-leakage-from-software-updates/
Yeah, right. However Debian 8 (jessie) and earlier, i.e. the current
Debian stable, runs the apt transports as *root*, and *unjailed*.
For that reason, you do *not* want a complex set of libraries with an
history of being zero-day nurseries anywhere near APT in Debian 8
(jessie) and earlier. If you enable apt-transport-https in Debian 8 and
earlier, you increase the chances of [eventually] being remote-exploited
a great deal.
So, please go with the bootstrap from an ISO media instead.
NOTE: apt in Debian Stretch (Debian 9), runs the transports as an
unpriviledged user, which is a lot safer. You should still avoid using
apt-transport-https there unless required, it is much safer to have a
local mirror [properly set up].
--
Henrique Holschuh
Reply to: