There would be a much lower risk if HTTP (without TLS) were not still the default for repositories.
This can actually also be abused by a MitM, he can always make your APT think that there are no new updates (a simple 304 Not Modified works), and then exploit recent vulnerabilities of which you have not received the fix. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1812353 Title: content injection in http method (CVE-2019-3462) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1812353/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
