-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, Jan 24, 2019 at 01:10:42AM +0000, js...@bitmessage.ch wrote: > Marek Marczykowski-Górecki: > > Summary > > ======== > > > > The Debian Security Team has announced a security vulnerability > > (DSA-4371-1) in the Advanced Package Tool (APT). The vulnerability lies > > in the way APT performs HTTP redirect handling when downloading > > packages. Exploitation of this vulnerability could lead to privilege > > escalation [1] inside an APT-based VM, such as a Debian or Whonix VM. > > This bug does _not_ allow escape from any VM or enable any attacks on > > other parts of the Qubes system. In particular, this bug does _not_ > > affect dom0, the Xen hypervisor, or any non-APT-based VMs. Nevertheless, > > we have decided to release this bulletin, because if a TemplateVM is > > affected, then every VM based on that template is affected. > > Hi, > > Does this vulnerability apply to whonix users who download updates over tor > from .onion repos? > > My understanding is that it shouldn't, since the exit node operator or any > other MITM doesn't even know it's apt traffic, they just see encrypted > traffic to a hidden service. > > Is this right, or am i not understanding something?
In case of onion indeed MitM attack is not that easy, but if someone takes over Debian (or Whonix) mirrors still could perform the attack. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxJE2sACgkQ24/THMrX 1yxbaAf+LBDndywJFQnv8ecVh3MADbYF3I1fpBJuPFP58MW3Iti2zB1US0jcxFbk 9GevFxLRd0f0u6sblyX+lko8f469gGhl/N0eK5Tl77omJNQc2on5uZb9pPotuuAi 0S8f49SJhl7B1WaJLKV9MAL2sXraHfZ59juQaLmQiSearuJcanPJAqEM/D0OI/aT BWTc/fsjDpfQ9hV/BQcEOjoOqKuwnZDBLSrXR/ychWFA0zRPzmFtJjA6shFprPf1 NGxhdabDWSEzcKGyUW+GM/eoBo3qwH7cvQk9tHBFJfSpDDUAmgkodCO3PfVYw44L 5wAONEFFZZJH8xs7V/NSo9nqZVjuKQ== =zzzU -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190124012252.GA9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
