On Thu, Dec 15, 2016 at 09:43:59PM +0100, SZÉPE Viktor wrote: > Quoting Patrick Schleizer <adrela...@riseup.net>: > > >Very short summary of the bug: > >(my own words) During apt-get upgrading signature verification can be > >tricked resulting in arbitrary package installation, system compromise. > > > >- https://security-tracker.debian.org/tracker/CVE-2016-1252 > >- https://www.debian.org/security/2016/dsa-3733 > >- https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467 > > > >How to upgrade from the insecure apt-get version 1.0.9.8.3 to the > >patched apt-get version 1.0.9.8.4 without being compromised during that > >upgrade? > > > > You may download the new package > http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.4_amd64.deb > (for amd64)
By the command wget http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.4_amd64.deb > and check its checksum > https://packages.debian.org/jessie/amd64/apt/download > > $ sha256sum apt_1.0.9.8.4_amd64.deb > > f40e51afbbcf2b1e23442c4c3df064a02ddc27bdfbfb155839577dcb1dedb74a > Then the acual install sudo dpkg --install apt_1.0.9.8.4_amd64.deb Which might yield (due my test on a non-up-to-date-system) (Reading database ... 42686 files and directories currently installed.) Preparing to replace apt 1.0.9.8.4 (using apt_1.0.9.8.4_amd64.deb) ... Unpacking replacement apt ... dpkg: dependency problems prevent configuration of apt: apt depends on libapt-pkg4.12 (>= 1.0.9.8.4); however: Version of libapt-pkg4.12:amd64 on system is 0.9.7.9+deb7u6. apt depends on libc6 (>= 2.15); however: Version of libc6:amd64 on system is 2.13-38+deb7u8. apt depends on libstdc++6 (>= 4.9); however: Version of libstdc++6:amd64 on system is 4.7.2-5. dpkg: error processing apt (--install): dependency problems - leaving unconfigured Processing triggers for man-db ... Errors were encountered while processing: apt Groeten Geert Stappers -- Leven en laten leven