[Chugalug] security: apt redirect bug (fwd)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[Chugalug] security: apt redirect bug (fwd)

kitepilot
Probably important.
Cugalug has beee pretty quiet lately.
Too quiet...
Makes you go Hmmmmmmm...


 ---------- Forwarded message ----------
Date: Wed, 23 Jan 2019 05:07:55 +0000 (UTC)
From: "der.hans" <[hidden email]>
To: quatsch <[hidden email]>
Subject: security: apt redirect bug
Message-ID: <alpine.DEB.2.11.1901230425300.298@post>

moin moin,

a security flaw was discovered in apt that allows a remote man in the
middle attacker to inject a malicious package that will be installed by
root.

Use '-o Acquire::http::AllowRedirect=false' option for apt tools to
disable the redirect that's vulnerable in order to install the updates.

Also, use upgrade rather than dist-upgrade or full-upgrade for now to
prevent installation of packages that aren't already installed.

In fact, perhaps look at the upgrade list and specifically install the apt
packages from it.

Disabling AllowRedirect has been working for me with both debian and
Ubuntu.

 --
apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade
 --

https://lists.debian.org/debian-security-announce/2019/msg00010.html 

ciao,

der.hans
 -- #  https://www.LuftHans.com   https://www.PhxLinux.org
#  ... All true wisdom is found on T-shirts.
 ---------------------------------------------------
PLUG-discuss mailing list - [hidden email]
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug