From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- ------------------------------------------------------------------------- Debian Security Advisory DSA-4371-1 [email protected] https://www.debian.org/security/ Yves-Alexis Perez January 22, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : apt
CVE ID : CVE-2019-3462

Max Justicz discovered a vulnerability in APT, the high level package manager. The code handling HTTP redirects in the HTTP transport method doesn't properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicous content in the HTTP connection. This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine.

Since the vulnerability is present in the package manager itself, it is recommended to disable redirects in order to prevent exploitation during this upgrade only, using:

apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade

This is known to break some proxies when used against security.debian.org. If that happens, people can switch their security APT source to use:

deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main

For the stable distribution (stretch), this problem has been fixed in
version 1.4.9.

We recommend that you upgrade your apt packages.

Specific upgrade instructions:

If upgrading using APT without redirect is not possible in your situation, you can manually download the files (using wget/curl) for your architecture using the URL provided below, verifying that the hashes match. Then you can install them using dpkg -i.

Source archives:

http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9.dsc
Size/SHA256 checksum: 2549 986d98b00caac809341f65acb3d14321d645ce8e87e411c26c66bf149a10dfea
http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9.tar.xz
Size/SHA256 checksum: 2079572 d4d65e7c84da86f3e6dcc933bba46a08db429c9d933b667c864f5c0e880bac0d

Architecture independent files:

http://security.debian.org/pool/updates/main/a/apt/apt-doc_1.4.9_all.deb
Size/SHA256 checksum: 365094 8880640591f64ab7b798f0421d18cba618512ca61ed7c44fbbbb6140423551d5
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-doc_1.4.9_all.deb
Size/SHA256 checksum: 1004234 42f4c5945c4c471c3985db1cec7adcac516cc21a497a438f3ea0a2bfa7ffe036

amd64 architecture:

http://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_amd64.deb
Size/SHA256 checksum: 4450936 1da507155c7b1ad140739c62fdacceaf5b5ee3765b1a00c3a3527d9d82a8d533
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_amd64.deb
Size/SHA256 checksum: 292612 59f3e1c91664fe3b47048794560ebe9c41f1eeccbdd95f7715282f8cbe449060
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_amd64.deb
Size/SHA256 checksum: 170820 c8c4366d1912ff8223615891397a78b44f313b0a2f15a970a82abe48460490cb
http://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_amd64.deb
Size/SHA256 checksum: 1289344 e3e157c291b05b2899a545331c7597ab36ca04e02cd9010562b9985b76af60db
http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_amd64.deb
Size/SHA256 checksum: 409958 fb227d1c4615197a6263e7312851ac3601d946221cfd85f20427a15ab9658d15
http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_amd64.deb
Size/SHA256 checksum: 1231594 dddf4ff686845b82c6c778a70f1f607d0bb9f8aa43f2fb7983db4ff1a55f5fae
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_amd64.deb
Size/SHA256 checksum: 221646 0e66db1f74827f06c55ac36cc961e932cd0a9a6efab91b7d1159658bab5f533e
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4.9_amd64.deb
Size/SHA256 checksum: 192382 a099c57d20b3e55d224433b7a1ee972f6fdb79911322882d6e6f6a383862a57d
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4.9_amd64.deb
Size/SHA256 checksum: 235220 cfb0a03ecd22aba066d97e75d4d00d791c7a3aceb2e5ec4fbee7176389717404
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0-dbgsym_1.4.9_amd64.deb
Size/SHA256 checksum: 6076102 cdb03ddd57934e773a579a89f32f11567710a39d6ac289e73efb20e8825874d1
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4.9_amd64.deb
Size/SHA256 checksum: 916448 03281e3d1382826d5989c12c77a9b27f5f752b0f6aa28b524a2df193f7296e0b

arm64 architecture:

http://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_arm64.deb
Size/SHA256 checksum: 4420208 c20e28d760cf99005ef16851f3f0c25b576ceaf6e6658a233066800a98c00025
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_arm64.deb
Size/SHA256 checksum: 288966 6e72a2123194ac5bb678305a67ac9cd4e5ca1df3771f753e4e29bed5e64f82f6
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_arm64.deb
Size/SHA256 checksum: 167674 6635e174290f89555a2eb9cbc083b1fa566b2cd65318212c8c760b87bfb2c544
http://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_arm64.deb
Size/SHA256 checksum: 1269592 8c1970c394c6606f867ef97dd252fdb0aad0c3d2836905d7fcf9c099c55daaaf
http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_arm64.deb
Size/SHA256 checksum: 401136 f7e95f4fbc94409ff4dceb16626beb6cd0eecff5e6982e1bf808af014ea7331f
http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_arm64.deb
Size/SHA256 checksum: 1202864 54abf458ed6b78f56638771fa30cdc9e482469cc0e2dfc2146b3606ea22a3449
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_arm64.deb

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)