On Tue, Jan 22, 2019 at 01:44:12PM +0000, Ben Hutchings wrote:
> On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote:
> > -------------------------------------------------------------------------
> > Debian Security Advisory DSA-4371-1 secur...@debian.org
> > https://www.debian.org/security/ Yves-Alexis Perez
> > January 22, 2019 https://www.debian.org/security/faq
> > -------------------------------------------------------------------------
> >
> > Package : apt
> > CVE ID : CVE-2019-3462
> >
> > Max Justicz discovered a vulnerability in APT, the high level package
> > manager.
> > The code handling HTTP redirects in the HTTP transport method doesn't
> > properly
> > sanitize fields transmitted over the wire. This vulnerability could be used
> > by
> > an attacker located as a man-in-the-middle between APT and a mirror to
> > inject
> > malicous content in the HTTP connection. This content could then be
> > recognized
> > as a valid package by APT and used later for code execution with root
> > privileges on the target machine.
> [...]
>
> This presumably needs to be fixed for jessie LTS as well, and I see
> Chris Lamb has claimed it.
Julian has already uploaded a fixed package, this only needs the DLA mail at
this
point.
Cheers,
Moritz
