@Christoph: You can put HTTPS URLs into your "sources.list", many mirrors support it. The package "apt-transport-https" is not required, that is outdated information. APT supports HTTPS out of the box for a while now, it is just not the default. Packets will still be validated using the Debian release OpenPGP key, regardless of which method of transport you use.
> an attacker could have used this long ago to basically do everything That is the case for any kind of security vulnerability. But the risk is much higher after the bug is published. > But is there a chance to e.g. get full audits of apt done by security experts? Bugs happen, audits don't find all bugs. APT has been around for a while and as a core infrastructure was reviewed by many people. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1812353 Title: content injection in http method (CVE-2019-3462) Status in apt package in Ubuntu: Fix Released Status in apt source package in Precise: Fix Released Status in apt source package in Trusty: Fix Released Status in apt source package in Xenial: Fix Released Status in apt source package in Bionic: Fix Released Status in apt source package in Cosmic: Fix Released Status in apt source package in Disco: Fix Released Bug description: apt, starting with version 0.8.15, decodes target URLs of redirects, but does not check them for newlines, allowing MiTM attackers (or repository mirrors) to inject arbitrary headers into the result returned to the main process. If the URL embeds hashes of the supposed file, it can thus be used to disable any validation of the downloaded file, as the fake hashes will be prepended in front of the right hashes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1812353/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp