Debian: DLA-1637-1 Critical: APT HTTP Transport Code Execution Risk
debian lts
January 22, 2019
(amended to refer to jessie in the sources.list entry below, instead of stable) Max Justicz discovered a vulnerability in APT, the high level package manager
Topics Covered
Summary
Since the vulnerability is present in the package manager itself, it is
recommended to disable redirects in order to prevent exploitation during this
upgrade only, using:
apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade
This is known to break some proxies when used against security.debian.org. If
that happens, people can switch their security APT source to use:
deb jessie/updates main
For Debian 8 "Jessie", this problem has been fixed in version
1.0.9.8.5.
We recommend that you upgrade your apt packages.
Specific upgrade instructions:
If upgrading using APT without redirect is not possible in your situation, you
can manually download the files (using wget/curl) for your architecture using
the URL provided below, verifying that the hashes match. Then you can install
them using dpkg -i.
Architecture independent files:
Size/SHA256 checksum: 301106 47df9567e45fadcd2a56c0fd3d514d8136f2f206aa7baa47405c6fcb94824ab6
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
<pre><font face="Courier">Package: apt
Version: 1.0.9.8.5
CVE ID: CVE-2019-3462
Debian Bug:
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!