On Tue, Jan 22, 2019 at 01:44:12PM +0000, Ben Hutchings wrote: >On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote: >> ------------------------------------------------------------------------- >> Debian Security Advisory DSA-4371-1 secur...@debian.org >> https://www.debian.org/security/ Yves-Alexis Perez >> January 22, 2019 https://www.debian.org/security/faq >> ------------------------------------------------------------------------- >> >> Package : apt >> CVE ID : CVE-2019-3462 >> >> Max Justicz discovered a vulnerability in APT, the high level package >> manager. >> The code handling HTTP redirects in the HTTP transport method doesn't >> properly >> sanitize fields transmitted over the wire. This vulnerability could be used >> by >> an attacker located as a man-in-the-middle between APT and a mirror to inject >> malicous content in the HTTP connection. This content could then be >> recognized >> as a valid package by APT and used later for code execution with root >> privileges on the target machine. >[...] > >This presumably needs to be fixed for jessie LTS as well, and I see >Chris Lamb has claimed it. > >However, APT is used during initial installation and we don't have any >provision for updating installer images during LTS. So we're either >going to have to revisit that or come up with some kind of workaround >for installation time.
I can help with new jessie installation images, but it'll need a bit of prep work. debian-cd doesn't pull from security or lts by default. -- Steve McIntyre, Cambridge, UK. st...@einval.com "Managing a volunteer open source project is a lot like herding kittens, except the kittens randomly appear and disappear because they have day jobs." -- Matt Mackall
