Re: Re: [SECURITY] [DSA 4371-1] apt security update

To: Edgar Remmel <eremmel@gmx.net>, debian-security@lists.debian.org
Subject: Re: Re: [SECURITY] [DSA 4371-1] apt security update
From: Yves-Alexis Perez <corsac@debian.org>
Date: Fri, 25 Jan 2019 10:44:13 +0100
Message-id: <[🔎] 3c9b2c07cbcfea589f8804b48f07491d76b56bfe.camel@debian.org>
In-reply-to: <[🔎] 5320c07e-e55c-83fb-383e-534cc271340f@gmx.net>
References: <[🔎] 61a02b4f69bcb142e9210aeac668111311f636f1.camel@debian.org> <[🔎] 5320c07e-e55c-83fb-383e-534cc271340f@gmx.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thu, 2019-01-24 at 23:37 +0100, Edgar Remmel wrote:
> Thanks a lot Yves-Alexis for reply and advice!
> 
> > Also it's likely that
> > you need to ask this to Raspbian, not Debian.
> 
> Please give me a 2.nd try in this list. If it will become obviosly to be
> a problem of Raspbian I will change to them.

It's not a Raspbian “problem”, but yes, you're using Raspbian packages and
mirrors, not Debian's.
> 
> But by sudo "apt -o Acquire::http::AllowRedirect=false upgrade"
> I always got the following error messages after my confirm to install:
> 
> Err:1 http://raspbian.raspberrypi.org/raspbian stretch/main armhf
> libapt-pkg5.0 armhf 1.4.9
>   302  Found [IP: 93.93.128.193 80]

Yes, 302 is HTTP redirect code, and you asked to refuse redirects (in order to
prevent exploitation by an attacker). That's why it fails.
> 
> Besides according to your recommendation I tried this too:
> 
> deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main
> in /etc/apt/sources.list.

That's actually a bad idea I think. Raspbian rebuilds packages for a different
architecture: raspbian armhf is not Debian armhf, so it's not guaranteed to
work on any raspberry pi. Also don't try to upgrade using packages downloaded
from Debian, you really need to go to Raspbian for that.
> 
> But running an update command an error showed up that the key doesn't
> match, so this failed too.
> 
> So please let me know - what is your conclusion?
> 
> It's a question for Raspbian - and I should ask there now?

Yes, please contact them. I'm unsure if they published an advisory or
something though.

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlxK2m0ACgkQ3rYcyPpX
RFtxdQf9GgPNtgvcBHsoZyYMVlR6AdG/xyvPhJwUcU+Nre6ME7+MnfMsdm5guGXc
aEWfaSSWaKh1A2Cb1bjkboYqLNMbXNVuK7ZPzisYLYuNwwROjZiDVZckBW6g36SC
bNumfcPzE6FkW8jFnJWtw/6KNUJkBd4b2Akjydl/Fd2uWFkXiLBXXhfQXKsAs7s2
CyWeggrlZIPsiHAh/FqSt82D4w3jXw+3oYkbuIDIz08GsMhtEuUmsCyw1tmZg0MH
Kc1Vda07myBydcYKt7K0r0TGrQJwmOidwlldvgVyxiAax1qMWvpIE6/6wlwllQLM
uoY2AcZAKU4+RZ6vIyGmRo6CwGB+Ag==
=qOcn
-----END PGP SIGNATURE-----

Reply to:

References:
- Re: [SECURITY] [DSA 4371-1] apt security update
  - From: Yves-Alexis Perez <corsac@debian.org>
- Re: Re: [SECURITY] [DSA 4371-1] apt security update
  - From: Edgar Remmel <eremmel@gmx.net>

Prev by Date: Re: Re: [SECURITY] [DSA 4371-1] apt security update
Next by Date: Upcoming stable point release (9.8)
Previous by thread: Re: Re: [SECURITY] [DSA 4371-1] apt security update
Next by thread: Upcoming stable point release (9.8)
Index(es):
- Date
- Thread