https://justi.cz/security/2019/01/22/apt-rce.html
A patch is out to cover this vulnerability, but I'm of the opinion that it may be best to move the qubes-update-proxy worker VMs to a disposable VM model after reading up on this one. Granted, at first glance it appears that the use of the qubes-update-proxy certainly helps, but using disposable VMs might provide an extra layer of protection. Also a good reason to ensure all of the URLs used for repositories are HTTPS, of course. Brendan -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/7d56a87a-a6e9-4e48-8db7-319b47677ab1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
