Re: Re: [SECURITY] [DSA 4371-1] apt security update

To: debian-security@lists.debian.org
Subject: Re: Re: [SECURITY] [DSA 4371-1] apt security update
From: Edgar Remmel <eremmel@gmx.net>
Date: Thu, 24 Jan 2019 23:37:05 +0100
Message-id: <[🔎] 5320c07e-e55c-83fb-383e-534cc271340f@gmx.net>
In-reply-to: <[🔎] 61a02b4f69bcb142e9210aeac668111311f636f1.camel@debian.org>
References: <[🔎] 61a02b4f69bcb142e9210aeac668111311f636f1.camel@debian.org>

Thanks a lot Yves-Alexis for reply and advice!

> Also it's likely that
> you need to ask this to Raspbian, not Debian.

Please give me a 2.nd try in this list. If it will become obviosly to be
a problem of Raspbian I will change to them.

> It would help to paste the exact error messages.

The command "sudo apt -o Acquire::http::AllowRedirect=false update" ran
fine.
By apt "list --upgradable" these 5 packages are displayed:

apt/stable 1.4.9 armhf [upgradable from: 1.4.8]
apt-transport-https/stable 1.4.9 armhf [upgradable from: 1.4.8]
apt-utils/stable 1.4.9 armhf [upgradable from: 1.4.8]
libapt-inst2.0/stable 1.4.9 armhf [upgradable from: 1.4.8]
libapt-pkg5.0/stable 1.4.9 armhf [upgradable from: 1.4.8]

But by sudo "apt -o Acquire::http::AllowRedirect=false upgrade"
I always got the following error messages after my confirm to install:

Err:1 http://raspbian.raspberrypi.org/raspbian stretch/main armhf
libapt-pkg5.0 armhf 1.4.9
  302  Found [IP: 93.93.128.193 80]
Err:2 http://raspbian.raspberrypi.org/raspbian stretch/main armhf
libapt-inst2.0 armhf 1.4.9
  302  Found [IP: 93.93.128.193 80]
Err:3 http://raspbian.raspberrypi.org/raspbian stretch/main armhf apt
armhf 1.4.9
  302  Found [IP: 93.93.128.193 80]
Err:4 http://raspbian.raspberrypi.org/raspbian stretch/main armhf
apt-utils armhf 1.4.9
  302  Found [IP: 93.93.128.193 80]
Err:5 http://raspbian.raspberrypi.org/raspbian stretch/main armhf
apt-transport-https armhf 1.4.9
  302  Found [IP: 93.93.128.193 80]
E: Failed to fetch
http://raspbian.raspberrypi.org/raspbian/pool/main/a/apt/libapt-pkg5.0_1.4.9_armhf.deb
 302  Found [IP: 93.93.128.193 80]
E: Failed to fetch
http://raspbian.raspberrypi.org/raspbian/pool/main/a/apt/libapt-inst2.0_1.4.9_armhf.deb
 302  Found [IP: 93.93.128.193 80]
E: Failed to fetch
http://raspbian.raspberrypi.org/raspbian/pool/main/a/apt/apt_1.4.9_armhf.deb
 302  Found [IP: 93.93.128.193 80]
E: Failed to fetch
http://raspbian.raspberrypi.org/raspbian/pool/main/a/apt/apt-utils_1.4.9_armhf.deb
 302  Found [IP: 93.93.128.193 80]
E: Failed to fetch
http://raspbian.raspberrypi.org/raspbian/pool/main/a/apt/apt-transport-https_1.4.9_armhf.deb
 302  Found [IP: 93.93.128.193 80]
E: Unable to fetch some archives, maybe run apt-get update or try with
--fix-missing?

I tried to use a command with --fix-missing but this didn't work. Maybe
I used the wrong syntax.

> Can you provide the links you used and the hash it gives you locally?

This was a second problem when I tried to solve it by manual
instalaltion. For the downloads I used the links you have posted and
found some dismatched hashes in these files:

apt-dbgsym_1.4.9_armhf.deb
Local Hash =
734604633a87aac1b6bdf1ded6ed9a398122be8654690e6acc9a195c3d6dab14

apt-utils-dbgsym_1.4.9_armhf.deb -
Local Hash =
42b07cdf359a7dcca06533bb3672039b62cd850a3f65d63f9a92ed6ed20537f1

libapt-inst2.0-dbgsym_1.4.9_armhf.deb
Local Hash =
35044d57c7832041eb212fdab5893dc168b25ab4f7f6f50e00a471ac9f7213dc

libapt-pkg5.0-dbgsym_1.4.9_armhf.deb
Local Hash =
d4e59e53e471b11c2bcd1ecf39f71bb50214b97ba492ba7b767301816266ce37

But meanwhile I see that I don't need those files because they are
obviosly not displayed by apt --upgradable list.
And the hashes for the 5 needed packages seem to match.

 > Try dpkg - -l |grep apt

dpkg --list |grep apt worked for me.

That's the result:

ii  apt                             1.4.8                        armhf
     commandline package manager
ii  apt-listchanges                 3.10                         all
     package change history notification tool
ii  apt-transport-https             1.4.8                        armhf
     https download transport for APT
ii  apt-utils                       1.4.8                        armhf
     package management related utility programs
ii  aptitude                        0.8.7-1                      armhf
     terminal-based package manager
ii  aptitude-common                 0.8.7-1                      all
     architecture independent files for the aptitude package manager
ii  firmware-realtek                1:20161130-3+rpt4            all
     Binary firmware for Realtek wired/wifi/BT adapters
ii  libapt-inst2.0:armhf            1.4.8                        armhf
     deb package format runtime library
ii  libapt-pkg5.0:armhf             1.4.8                        armhf
     package management runtime library
ii  python-apt-common               1.1.0~beta5                  all
     Python interface to libapt-pkg (locales)
ii  python3-apt                     1.1.0~beta5                  armhf

Besides according to your recommendation I tried this too:

deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main
in /etc/apt/sources.list.

But running an update command an error showed up that the key doesn't
match, so this failed too.

So please let me know - what is your conclusion?

It's a question for Raspbian - and I should ask there now?
Or can I install the 5 upgrade files qouted above manually without
greater danger of a system crash? What do you recommend to be the very
next step?

Thank you in advance.

Edgar

Reply to:

Follow-Ups:
- Re: Re: [SECURITY] [DSA 4371-1] apt security update
  - From: Yves-Alexis Perez <corsac@debian.org>

References:
- Re: [SECURITY] [DSA 4371-1] apt security update
  - From: Yves-Alexis Perez <corsac@debian.org>

Prev by Date: Re: [SECURITY] [DSA 4371-1] apt security update
Next by Date: Re: Re: [SECURITY] [DSA 4371-1] apt security update
Previous by thread: Re: [SECURITY] [DSA 4371-1] apt security update
Next by thread: Re: Re: [SECURITY] [DSA 4371-1] apt security update
Index(es):
- Date
- Thread