On 12/19/2016 06:26 PM, Patrick Schleizer wrote:
What about Debian graphical installer security?
Isn't that in meanwhile the ideal target for exploitation for targeted
attacks? Because it will take a while until the Debian point release
with fixed apt.
And during the gui installer, the output
What about Debian graphical installer security?
Isn't that in meanwhile the ideal target for exploitation for targeted
attacks? Because it will take a while until the Debian point release
with fixed apt.
And during the gui installer, the output of apt-get is not visible. And
stuff during
On Sat, 17 Dec 2016, Hans-Christoph Steiner wrote:
> One thing that would help a lot with future issues like this is to use
> only encrypted connections in /etc/apt/sources.list. That can be either
> HTTPS or a Tor Hidden Service .onion address. For in depth discussion
> of this, see:
You could
Patrick Schleizer:
> Julian Andres Klode:
>> (2) look at the InRelease file and see if it contains crap
>> after you updated (if it looks OK, it's secure - you need
>> fairly long lines to be able to break this)
>
> Thank you for that hint, Julian!
>
> Can you please elaborate on this?
On Sat, 2016-12-17 at 04:42 +0100, Marek Marczykowski-Górecki wrote:
> On Sat, Dec 17, 2016 at 02:47:28AM +0100, David Kalnischkies wrote:
> > In terms of stable (which seems to be what you are asking about) there
> > is a trivial 99,9% shortcut: stable has no InRelease file for technical
> >
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On Sat, Dec 17, 2016 at 02:47:28AM +0100, David Kalnischkies wrote:
> The provided exploit used a 1.3 GB big InRelease file for that, which
> works with some confidence on a sufficiently memory-starved i386 system
> if you can live with the fact
First things first:
If you really want to pull packages by hand you need to pull libapt-pkg
as the faulty code is in the apt library (aka it effects aptitude,
synaptics, …). Updating apt only isn't changing anything…
Second: The DSA unfortunately didn't mention apt-ftparchive – if you
don't trust
On Fri, Dec 16, 2016 at 10:32:00PM +, Patrick Schleizer wrote:
> Julian Andres Klode:
> > (2) look at the InRelease file and see if it contains crap
> > after you updated (if it looks OK, it's secure - you need
> > fairly long lines to be able to break this)
>
> Thank you for that
Julian Andres Klode:
> (2) look at the InRelease file and see if it contains crap
> after you updated (if it looks OK, it's secure - you need
> fairly long lines to be able to break this)
Thank you for that hint, Julian!
Can you please elaborate on this? (I am asking for Qubes and Whonix
Idézem/Quoting Geert Stappers :
On Thu, Dec 15, 2016 at 09:43:59PM +0100, SZÉPE Viktor wrote:
Quoting Patrick Schleizer :
>Very short summary of the bug:
>(my own words) During apt-get upgrading signature verification can be
>tricked resulting in
Geert Stappers:
> On Thu, Dec 15, 2016 at 09:43:59PM +0100, SZÉPE Viktor wrote:
>> Quoting Patrick Schleizer :
>>
>>> Very short summary of the bug:
>>> (my own words) During apt-get upgrading signature verification can be
>>> tricked resulting in arbitrary package
On Thu, Dec 15, 2016 at 09:43:59PM +0100, SZÉPE Viktor wrote:
> Quoting Patrick Schleizer :
>
> >Very short summary of the bug:
> >(my own words) During apt-get upgrading signature verification can be
> >tricked resulting in arbitrary package installation, system compromise.
On Fri, Dec 16, 2016 at 4:33 AM, Patrick Schleizer wrote:
> Is it possible to disable InRelease processing by apt-get?
The answer from #debian-apt is that there is no setting for this.
Your options are:
Use an intercepting proxy that replies with 404 to InRelease files.
Do an apt update to
Hello Patrick!
You may download the new package
http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.4_amd64.deb
(for amd64)
and check its checksum
https://packages.debian.org/jessie/amd64/apt/download
$ sha256sum apt_1.0.9.8.4_amd64.deb
TLDR:
Is it possible to disable InRelease processing by apt-get?
Long:
Very short summary of the bug:
(my own words) During apt-get upgrading signature verification can be
tricked resulting in arbitrary package installation, system compromise.
sources:
-
15 matches
Mail list logo