Page 1 of 1
APT vulnerability
Posted: Wed Jan 23, 2019 8:38 am
by mmikeinsantarosa
anybody else see this?
Debian Security Advisory
- mike
Re: APT vulnerability
Posted: Wed Jan 23, 2019 8:50 am
by Eadwine Rose
Re: APT vulnerability
Posted: Wed Jan 23, 2019 8:51 am
by dolphin_oracle
and already patched last nite I believe. You should see apt in your updates.
Re: APT vulnerability
Posted: Wed Jan 23, 2019 8:52 am
by philotux
I did the updates yesterday when they came through Synaptic. I wasn't then aware of the need to do
Code: Select all
apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade
should I now remove those packages and run these codes and reinstall?
Re: APT vulnerability
Posted: Wed Jan 23, 2019 8:57 am
by dolphin_oracle
philotux wrote: Wed Jan 23, 2019 8:52 am
I did the updates yesterday when they came through Synaptic. I wasn't then aware of the need to do
Code: Select all
apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade
should I now remove those packages and run these codes and reinstall?
I think its already done.
The suggestion from debian was to avoid man-in-the-middle attacks while doing the update. Once the update is done, you're done. The suggestion is a little cautious to do the manual disable of AllowRedirect, even if its technically a correct suggestion.
Re: APT vulnerability
Posted: Wed Jan 23, 2019 9:00 am
by philotux
All is well then. Thanks!
Re: APT vulnerability
Posted: Wed Jan 23, 2019 9:05 am
by mmikeinsantarosa
thanks. I missed the other post.
Re: APT vulnerability
Posted: Wed Jan 23, 2019 9:10 am
by sdibaja
the patch was published (in Debian) and we were able to update before the press release was made.
...
I assume MX has those updates also, but not really sure.
Re: APT vulnerability
Posted: Wed Jan 23, 2019 9:12 am
by kmathern
philotux wrote: Wed Jan 23, 2019 8:52 am
I did the updates yesterday when they came through Synaptic. I wasn't then aware of the need to do
Code: Select all
apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade
You can't really remove and reinstall them because removing them results in the removal of most of the other package management tools too including synaptic, gdebi & aptitude which will make it difficult to reinstall things. (you might be able to reinstall the packages with dpkg)
Re: APT vulnerability
Posted: Wed Jan 23, 2019 9:17 am
by philotux
kmathern wrote: Wed Jan 23, 2019 9:12 am
You can't really remove and reinstall them because removing them results in the removal of most of the other package management tools too including synaptic, gdebi & aptitude which will make it difficult to reinstall things. (you might be able to reinstall the packages with dpkg)
Thank's for this! I had no idea!
Re: APT vulnerability
Posted: Wed Jan 23, 2019 11:47 am
by figueroa
So glad to see this activity. I'd just seen the following story in my news feed:
https://www.zdnet.com/article/nasty-sec ... linux-apt/
Re: APT vulnerability
Posted: Wed Jan 23, 2019 1:17 pm
by sdibaja
"...was recently found to have a serious security hole. It's now patched."
...so it was found an patched before we ever heard of it. Thanks Debian!
I wonder, was this ever a real problem, as in did a hacker ever use that hole and do something?
Not just "a proof of concept"