Marek Marczykowski-Górecki:

The Debian Security Team has announced a security vulnerability
(DSA-4371-1) in the Advanced Package Tool (APT).  The vulnerability lies
in the way APT performs HTTP redirect handling when downloading
packages. Exploitation of this vulnerability could lead to privilege
escalation [1] inside an APT-based VM, such as a Debian or Whonix VM.
This bug does _not_ allow escape from any VM or enable any attacks on
other parts of the Qubes system. In particular, this bug does _not_
affect dom0, the Xen hypervisor, or any non-APT-based VMs. Nevertheless,
we have decided to release this bulletin, because if a TemplateVM is
affected, then every VM based on that template is affected.


Does this vulnerability apply to whonix users who download updates over tor from .onion repos?

My understanding is that it shouldn't, since the exit node operator or any other MITM doesn't even know it's apt traffic, they just see encrypted traffic to a hidden service.

Is this right, or am i not understanding something?


You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To post to this group, send email to
To view this discussion on the web visit
For more options, visit

Reply via email to