On Tue, 2019-01-22 at 13:50 +0000, Steve McIntyre wrote: > On Tue, Jan 22, 2019 at 01:44:12PM +0000, Ben Hutchings wrote: > > On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote: > > > ------------------------------------------------------------------------- > > > Debian Security Advisory DSA-4371-1 secur...@debian.org > > > https://www.debian.org/security/ Yves-Alexis Perez > > > January 22, 2019 https://www.debian.org/security/faq > > > ------------------------------------------------------------------------- > > > > > > Package : apt > > > CVE ID : CVE-2019-3462 > > > > > > Max Justicz discovered a vulnerability in APT, the high level package > > > manager. > > > The code handling HTTP redirects in the HTTP transport method doesn't > > > properly > > > sanitize fields transmitted over the wire. This vulnerability could be > > > used by > > > an attacker located as a man-in-the-middle between APT and a mirror to > > > inject > > > malicous content in the HTTP connection. This content could then be > > > recognized > > > as a valid package by APT and used later for code execution with root > > > privileges on the target machine. > > [...] > > > > This presumably needs to be fixed for jessie LTS as well, and I see > > Chris Lamb has claimed it. > > > > However, APT is used during initial installation and we don't have any > > provision for updating installer images during LTS. So we're either > > going to have to revisit that or come up with some kind of workaround > > for installation time. > > I can help with new jessie installation images, but it'll need a bit > of prep work. debian-cd doesn't pull from security or lts by default.
Would it be any easier to stick with oldstable as a base and explicitly
replace specific packages?
Ben.
--
Ben Hutchings
The most exhausting thing in life is being insincere.
- Anne Morrow Lindberg
signature.asc
Description: This is a digitally signed message part
