Re: APT vulnerability [DSA 4371-1]

To: Evgeny Kapun <abacabadabacaba@gmail.com>, Vladislav Kurz <vladislav.kurz@webstep.net>
Cc: debian-security@lists.debian.org
Subject: Re: APT vulnerability [DSA 4371-1]
From: Hans-Christoph Steiner <hans@at.or.at>
Date: Tue, 22 Jan 2019 17:09:31 +0100
Message-id: <[🔎] fee8ef9f-dc1c-75e1-80b0-fdcd719be2b9@at.or.at>
In-reply-to: <[🔎] 5bd7beff-fc90-7ed4-06c3-73af8653b21d@gmail.com>
References: <[🔎] 854d86d2-663a-07ae-be4a-5ad4a5c0164b@webstep.net> <[🔎] 5bd7beff-fc90-7ed4-06c3-73af8653b21d@gmail.com>

FYI, I wrote a script to check the amd64 packages against the published
hash, if anyone wants to use it, it is attached.

.hc

Evgeny Kapun:
> On 22.01.2019 16:59, Vladislav Kurz wrote:
>> Hello everybody,
>>
>> is this vulnerability affecting also apt-get ?
> 
> Yes, the vulnerability is in http backend, which is used by apt-get.
> 
>> If yes, will there be another DSA soon?
> 
> No, because apt-get tool is in the package apt.
> 
>> I'm also encountering many errors when using
>>   apt -o Acquire::http::AllowRedirect=false update
>>   apt -o Acquire::http::AllowRedirect=false upgrade
>>
>> As written in announcement: This is known to break some proxies when
>> used against security.debian.org.
>>
>> However I do not use proxy at all. I have problems with jessie/updates,
>> cdn.debian.net, and http.debian.net
> 
> Try these URLs: http://cdn-fastly.deb.debian.org/debian,
> http://cdn-fastly.deb.debian.org/debian-security. The domains
> cdn.debian.net and http.debian.net are deprecated, use deb.debian.org
> instead.
> 
>> Err http://security.debian.org jessie/updates/main i386 Packages
>>    302  Found [IP: 217.196.149.233 80]
>> Err http://security.debian.org jessie/updates/contrib i386 Packages
>>    302  Found [IP: 217.196.149.233 80]
>> Err http://security.debian.org jessie/updates/non-free i386 Packages
>>    302  Found [IP: 217.196.149.233 80]
>> Fetched 151 kB in 9s (16.2 kB/s)
>>
>> Err:14 http://cdn.debian.net/debian stretch Release
>>    302  Found [IP: 2001:4f8:1:c::15 80]
>> Err:15 http://cdn.debian.net/debian stretch-updates Release
>>    302  Found [IP: 2001:4f8:1:c::15 80]
>> Err:16 http://cdn.debian.net/debian stretch-backports Release
>>    302  Found [IP: 2001:4f8:1:c::15 80]
>>
>> Err:7 http://http.debian.net/debian stretch Release
>>    302  Found [IP: 2001:67c:2564:a119::148:14 80]
>> Err:8 http://http.debian.net/debian stretch-updates Release
>>    302  Found [IP: 2001:67c:2564:a119::148:14 80]
>> Err:9 http://http.debian.net/debian stretch-backports Release
>>    302  Found [IP: 2001:67c:2564:a119::148:14 80]
>>
>>
>

Attachment: check.sh
Description: application/shellscript

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- APT vulnerability [DSA 4371-1]
  - From: Vladislav Kurz <vladislav.kurz@webstep.net>
- Re: APT vulnerability [DSA 4371-1]
  - From: Evgeny Kapun <abacabadabacaba@gmail.com>

Prev by Date: Re: APT vulnerability [DSA 4371-1]
Next by Date: Re: APT vulnerability [DSA 4371-1]
Previous by thread: Re: APT vulnerability [DSA 4371-1]
Next by thread: Re: APT vulnerability [DSA 4371-1]
Index(es):
- Date
- Thread