External check

2016-12-15 Thread Raphael Geissert
CVE-2016-8612: RESERVED -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.

Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

2016-12-15 Thread Geert Stappers
On Thu, Dec 15, 2016 at 09:43:59PM +0100, SZÉPE Viktor wrote: > Quoting Patrick Schleizer : > > >Very short summary of the bug: > >(my own words) During apt-get upgrading signature verification can be > >tricked resulting in arbitrary package installation, system compromise.

Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

2016-12-15 Thread Paul Wise
On Fri, Dec 16, 2016 at 4:33 AM, Patrick Schleizer wrote: > Is it possible to disable InRelease processing by apt-get? The answer from #debian-apt is that there is no setting for this. Your options are: Use an intercepting proxy that replies with 404 to InRelease files. Do an apt update to

Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

2016-12-15 Thread SZÉPE Viktor
Hello Patrick! You may download the new package http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.4_amd64.deb (for amd64) and check its checksum https://packages.debian.org/jessie/amd64/apt/download $ sha256sum apt_1.0.9.8.4_amd64.deb

not getting compromised while applying apt-get upgrade for CVE-2016-1252

2016-12-15 Thread Patrick Schleizer
TLDR: Is it possible to disable InRelease processing by apt-get? Long: Very short summary of the bug: (my own words) During apt-get upgrading signature verification can be tricked resulting in arbitrary package installation, system compromise. sources: -