Re: APT vulnerability [DSA 4371-1]

[Evgeny Kapun <abacabadabacaba@gmail.com>]

On 22.01.2019 16:59, Vladislav Kurz wrote:
> Hello everybody,
>
> is this vulnerability affecting also apt-get ?

Yes, the vulnerability is in http backend, which is used by apt-get.

> If yes, will there be another DSA soon?

No, because apt-get tool is in the package apt.

> I'm also encountering many errors when using
>   apt -o Acquire::http::AllowRedirect=false update
>   apt -o Acquire::http::AllowRedirect=false upgrade
>
> As written in announcement: This is known to break some proxies when
> used against security.debian.org.
>
> However I do not use proxy at all. I have problems with jessie/updates,
> cdn.debian.net, and http.debian.net

Try these URLs: http://cdn-fastly.deb.debian.org/debian, http://cdn-fastly.deb.debian.org/debian-security. The domains cdn.debian.net and http.debian.net are deprecated, use deb.debian.org instead.

> Err http://security.debian.org jessie/updates/main i386 Packages
>    302  Found [IP: 217.196.149.233 80]
> Err http://security.debian.org jessie/updates/contrib i386 Packages
>    302  Found [IP: 217.196.149.233 80]
> Err http://security.debian.org jessie/updates/non-free i386 Packages
>    302  Found [IP: 217.196.149.233 80]
> Fetched 151 kB in 9s (16.2 kB/s)
>
> Err:14 http://cdn.debian.net/debian stretch Release
>    302  Found [IP: 2001:4f8:1:c::15 80]
> Err:15 http://cdn.debian.net/debian stretch-updates Release
>    302  Found [IP: 2001:4f8:1:c::15 80]
> Err:16 http://cdn.debian.net/debian stretch-backports Release
>    302  Found [IP: 2001:4f8:1:c::15 80]
>
> Err:7 http://http.debian.net/debian stretch Release
>    302  Found [IP: 2001:67c:2564:a119::148:14 80]
> Err:8 http://http.debian.net/debian stretch-updates Release
>    302  Found [IP: 2001:67c:2564:a119::148:14 80]
> Err:9 http://http.debian.net/debian stretch-backports Release
>    302  Found [IP: 2001:67c:2564:a119::148:14 80]