On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote:
> -------------------------------------------------------------------------
> Debian Security Advisory DSA-4371-1                   secur...@debian.org
> https://www.debian.org/security/                        Yves-Alexis Perez
> January 22, 2019                      https://www.debian.org/security/faq
> -------------------------------------------------------------------------
> Package        : apt
> CVE ID         : CVE-2019-3462
> Max Justicz discovered a vulnerability in APT, the high level package manager.
> The code handling HTTP redirects in the HTTP transport method doesn't properly
> sanitize fields transmitted over the wire. This vulnerability could be used by
> an attacker located as a man-in-the-middle between APT and a mirror to inject
> malicous content in the HTTP connection. This content could then be recognized
> as a valid package by APT and used later for code execution with root
> privileges on the target machine.

This presumably needs to be fixed for jessie LTS as well, and I see
Chris Lamb has claimed it.

However, APT is used during initial installation and we don't have any
provision for updating installer images during LTS.  So we're either
going to have to revisit that or come up with some kind of workaround
for installation time.


Ben Hutchings
Power corrupts.  Absolute power is kind of neat. - John Lehman

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to