@Christoph:
You can put HTTPS URLs into your "sources.list", many mirrors support it. The
package "apt-transport-https" is not required, that is outdated information.
APT supports HTTPS out of the box for a while now, it is just not the default.
Packets will still be validated using the Debian
Or is there anything going to happen wrt to https/TLS?
I, personally, are not convinced of doing this...
In this specific case, and rogue mirror could have still exploited the
hole, and I'd assume there is nothing done to check the trustworthiness
of mirror operators (there's no real way to do
Hmm that's pretty bad then (which is not to be read as blaming you or
anyone else here).
Are there going to be any… "consequences"?
I mean trying to find out whether systems have been compromised is probably
impossible... an attacker could have used this long ago to basically do
everything,
@calestyo well, it is as catastrophic as it reads. You might want to
read Max's blog post for more information about how he discovered it:
https://justi.cz/security/2019/01/22/apt-rce.html
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is
This bug was fixed in the package apt - 1.8.0~alpha3.1
---
apt (1.8.0~alpha3.1) unstable; urgency=emergency
* SECURITY UPDATE: content injection in http method (CVE-2019-3462)
(LP: #1812353)
-- Julian Andres Klode Tue, 22 Jan 2019 19:52:38
+0100
** Changed in: apt (Ubuntu
Is there any more detailed evaluation of this hole?
It reads absolutely catastrophic, like that secure APT is basically
broken since 2011,… and if anyone has found that issue before (which one
must assume in the worst case) any code could have been rather easily
introduced in any Debian based
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1812353
Title:
content injection in http method (CVE-2019-3462)
Status in apt package in Ubuntu:
In
** Changed in: apt (Ubuntu Precise)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1812353
Title:
content injection in http method
There would be a much lower risk if HTTP (without TLS) were not still
the default for repositories.
This can actually also be abused by a MitM, he can always make your APT
think that there are no new updates (a simple 304 Not Modified works),
and then exploit recent vulnerabilities of which you
This bug was fixed in the package apt - 1.6.6ubuntu0.1
---
apt (1.6.6ubuntu0.1) bionic-security; urgency=medium
* SECURITY UPDATE: content injection in http method (CVE-2019-3462)
(LP: #1812353)
-- Julian Andres Klode Fri, 18 Jan 2019 11:39:50
+0100
** Changed in: apt
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1812353
Title:
content injection in http method
11 matches
Mail list logo
