-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thu, Jan 24, 2019 at 01:10:42AM +0000, js...@bitmessage.ch wrote:
> Marek Marczykowski-Górecki:
> > Summary
> > ========
> > 
> > The Debian Security Team has announced a security vulnerability
> > (DSA-4371-1) in the Advanced Package Tool (APT).  The vulnerability lies
> > in the way APT performs HTTP redirect handling when downloading
> > packages. Exploitation of this vulnerability could lead to privilege
> > escalation [1] inside an APT-based VM, such as a Debian or Whonix VM.
> > This bug does _not_ allow escape from any VM or enable any attacks on
> > other parts of the Qubes system. In particular, this bug does _not_
> > affect dom0, the Xen hypervisor, or any non-APT-based VMs. Nevertheless,
> > we have decided to release this bulletin, because if a TemplateVM is
> > affected, then every VM based on that template is affected.
> 
> Hi,
> 
> Does this vulnerability apply to whonix users who download updates over tor
> from .onion repos?
> 
> My understanding is that it shouldn't, since the exit node operator or any
> other MITM doesn't even know it's apt traffic, they just see encrypted
> traffic to a hidden service.
> 
> Is this right, or am i not understanding something?

In case of onion indeed MitM attack is not that easy, but if someone
takes over Debian (or Whonix) mirrors still could perform the attack.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxJE2sACgkQ24/THMrX
1yxbaAf+LBDndywJFQnv8ecVh3MADbYF3I1fpBJuPFP58MW3Iti2zB1US0jcxFbk
9GevFxLRd0f0u6sblyX+lko8f469gGhl/N0eK5Tl77omJNQc2on5uZb9pPotuuAi
0S8f49SJhl7B1WaJLKV9MAL2sXraHfZ59juQaLmQiSearuJcanPJAqEM/D0OI/aT
BWTc/fsjDpfQ9hV/BQcEOjoOqKuwnZDBLSrXR/ychWFA0zRPzmFtJjA6shFprPf1
NGxhdabDWSEzcKGyUW+GM/eoBo3qwH7cvQk9tHBFJfSpDDUAmgkodCO3PfVYw44L
5wAONEFFZZJH8xs7V/NSo9nqZVjuKQ==
=zzzU
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190124012252.GA9610%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Reply via email to