Re: APT vulnerability [DSA 4371-1]
On 1/22/19 3:43 PM, Evgeny Kapun wrote: > On 22.01.2019 16:59, Vladislav Kurz wrote: >> Hello everybody, >> >> I'm also encountering many errors when using >> apt -o Acquire::http::AllowRedirect=false update >> apt -o Acquire::http::AllowRedirect=false upgrade >> >> As written in announcement: This is known to break some proxies when >> used against security.debian.org. >> >> However I do not use proxy at all. I have problems with jessie/updates, >> cdn.debian.net, and http.debian.net > > Try these URLs: http://cdn-fastly.deb.debian.org/debian, > http://cdn-fastly.deb.debian.org/debian-security. The domains > cdn.debian.net and http.debian.net are deprecated, use deb.debian.org > instead. Thanks for this info. It seems that jessie needs the above direct URL to fastly even if not behind proxy (can't use SRV records). -- Best Regards Vladislav Kurz
Re: APT vulnerability [DSA 4371-1]
FYI, I wrote a script to check the amd64 packages against the published hash, if anyone wants to use it, it is attached. .hc Evgeny Kapun: > On 22.01.2019 16:59, Vladislav Kurz wrote: >> Hello everybody, >> >> is this vulnerability affecting also apt-get ? > > Yes, the vulnerability is in http backend, which is used by apt-get. > >> If yes, will there be another DSA soon? > > No, because apt-get tool is in the package apt. > >> I'm also encountering many errors when using >> apt -o Acquire::http::AllowRedirect=false update >> apt -o Acquire::http::AllowRedirect=false upgrade >> >> As written in announcement: This is known to break some proxies when >> used against security.debian.org. >> >> However I do not use proxy at all. I have problems with jessie/updates, >> cdn.debian.net, and http.debian.net > > Try these URLs: http://cdn-fastly.deb.debian.org/debian, > http://cdn-fastly.deb.debian.org/debian-security. The domains > cdn.debian.net and http.debian.net are deprecated, use deb.debian.org > instead. > >> Err http://security.debian.org jessie/updates/main i386 Packages >> 302 Found [IP: 217.196.149.233 80] >> Err http://security.debian.org jessie/updates/contrib i386 Packages >> 302 Found [IP: 217.196.149.233 80] >> Err http://security.debian.org jessie/updates/non-free i386 Packages >> 302 Found [IP: 217.196.149.233 80] >> Fetched 151 kB in 9s (16.2 kB/s) >> >> Err:14 http://cdn.debian.net/debian stretch Release >> 302 Found [IP: 2001:4f8:1:c::15 80] >> Err:15 http://cdn.debian.net/debian stretch-updates Release >> 302 Found [IP: 2001:4f8:1:c::15 80] >> Err:16 http://cdn.debian.net/debian stretch-backports Release >> 302 Found [IP: 2001:4f8:1:c::15 80] >> >> Err:7 http://http.debian.net/debian stretch Release >> 302 Found [IP: 2001:67c:2564:a119::148:14 80] >> Err:8 http://http.debian.net/debian stretch-updates Release >> 302 Found [IP: 2001:67c:2564:a119::148:14 80] >> Err:9 http://http.debian.net/debian stretch-backports Release >> 302 Found [IP: 2001:67c:2564:a119::148:14 80] >> >> > check.sh Description: application/shellscript signature.asc Description: OpenPGP digital signature
Re: APT vulnerability [DSA 4371-1]
On 22.01.2019 16:59, Vladislav Kurz wrote: Hello everybody, is this vulnerability affecting also apt-get ? Yes, the vulnerability is in http backend, which is used by apt-get. If yes, will there be another DSA soon? No, because apt-get tool is in the package apt. I'm also encountering many errors when using apt -o Acquire::http::AllowRedirect=false update apt -o Acquire::http::AllowRedirect=false upgrade As written in announcement: This is known to break some proxies when used against security.debian.org. However I do not use proxy at all. I have problems with jessie/updates, cdn.debian.net, and http.debian.net Try these URLs: http://cdn-fastly.deb.debian.org/debian, http://cdn-fastly.deb.debian.org/debian-security. The domains cdn.debian.net and http.debian.net are deprecated, use deb.debian.org instead. Err http://security.debian.org jessie/updates/main i386 Packages 302 Found [IP: 217.196.149.233 80] Err http://security.debian.org jessie/updates/contrib i386 Packages 302 Found [IP: 217.196.149.233 80] Err http://security.debian.org jessie/updates/non-free i386 Packages 302 Found [IP: 217.196.149.233 80] Fetched 151 kB in 9s (16.2 kB/s) Err:14 http://cdn.debian.net/debian stretch Release 302 Found [IP: 2001:4f8:1:c::15 80] Err:15 http://cdn.debian.net/debian stretch-updates Release 302 Found [IP: 2001:4f8:1:c::15 80] Err:16 http://cdn.debian.net/debian stretch-backports Release 302 Found [IP: 2001:4f8:1:c::15 80] Err:7 http://http.debian.net/debian stretch Release 302 Found [IP: 2001:67c:2564:a119::148:14 80] Err:8 http://http.debian.net/debian stretch-updates Release 302 Found [IP: 2001:67c:2564:a119::148:14 80] Err:9 http://http.debian.net/debian stretch-backports Release 302 Found [IP: 2001:67c:2564:a119::148:14 80]
APT vulnerability [DSA 4371-1]
Hello everybody, is this vulnerability affecting also apt-get ? If yes, will there be another DSA soon? I'm also encountering many errors when using apt -o Acquire::http::AllowRedirect=false update apt -o Acquire::http::AllowRedirect=false upgrade As written in announcement: This is known to break some proxies when used against security.debian.org. However I do not use proxy at all. I have problems with jessie/updates, cdn.debian.net, and http.debian.net Err http://security.debian.org jessie/updates/main i386 Packages 302 Found [IP: 217.196.149.233 80] Err http://security.debian.org jessie/updates/contrib i386 Packages 302 Found [IP: 217.196.149.233 80] Err http://security.debian.org jessie/updates/non-free i386 Packages 302 Found [IP: 217.196.149.233 80] Fetched 151 kB in 9s (16.2 kB/s) Err:14 http://cdn.debian.net/debian stretch Release 302 Found [IP: 2001:4f8:1:c::15 80] Err:15 http://cdn.debian.net/debian stretch-updates Release 302 Found [IP: 2001:4f8:1:c::15 80] Err:16 http://cdn.debian.net/debian stretch-backports Release 302 Found [IP: 2001:4f8:1:c::15 80] Err:7 http://http.debian.net/debian stretch Release 302 Found [IP: 2001:67c:2564:a119::148:14 80] Err:8 http://http.debian.net/debian stretch-updates Release 302 Found [IP: 2001:67c:2564:a119::148:14 80] Err:9 http://http.debian.net/debian stretch-backports Release 302 Found [IP: 2001:67c:2564:a119::148:14 80] -- Best Regards Vladislav Kurz