On Tue, Jan 22, 2019 at 01:44:12PM +0000, Ben Hutchings wrote:
>On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote:
>> -------------------------------------------------------------------------
>> Debian Security Advisory DSA-4371-1                   secur...@debian.org
>> https://www.debian.org/security/                        Yves-Alexis Perez
>> January 22, 2019                      https://www.debian.org/security/faq
>> -------------------------------------------------------------------------
>> Package        : apt
>> CVE ID         : CVE-2019-3462
>> Max Justicz discovered a vulnerability in APT, the high level package 
>> manager.
>> The code handling HTTP redirects in the HTTP transport method doesn't 
>> properly
>> sanitize fields transmitted over the wire. This vulnerability could be used 
>> by
>> an attacker located as a man-in-the-middle between APT and a mirror to inject
>> malicous content in the HTTP connection. This content could then be 
>> recognized
>> as a valid package by APT and used later for code execution with root
>> privileges on the target machine.
>This presumably needs to be fixed for jessie LTS as well, and I see
>Chris Lamb has claimed it.
>However, APT is used during initial installation and we don't have any
>provision for updating installer images during LTS.  So we're either
>going to have to revisit that or come up with some kind of workaround
>for installation time.

I can help with new jessie installation images, but it'll need a bit
of prep work. debian-cd doesn't pull from security or lts by default.

Steve McIntyre, Cambridge, UK.                                st...@einval.com
"Managing a volunteer open source project is a lot like herding
 kittens, except the kittens randomly appear and disappear because they
 have day jobs." -- Matt Mackall

Reply via email to