@Christoph: You can put HTTPS URLs into your "sources.list", many mirrors support it. The package "apt-transport-https" is not required, that is outdated information. APT supports HTTPS out of the box for a while now, it is just not the default. Packets will still be validated using the Debian release OpenPGP key, regardless of which method of transport you use.
> an attacker could have used this long ago to basically do everything That is the case for any kind of security vulnerability. But the risk is much higher after the bug is published. > But is there a chance to e.g. get full audits of apt done by security experts? Bugs happen, audits don't find all bugs. APT has been around for a while and as a core infrastructure was reviewed by many people. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1812353 Title: content injection in http method (CVE-2019-3462) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1812353/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
