Re: Re: [SECURITY] [DSA 4371-1] apt security update

[Yves-Alexis Perez]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, 2019-01-24 at 23:37 +0100, Edgar Remmel wrote:
> Thanks a lot Yves-Alexis for reply and advice!
> 
> > Also it's likely that
> > you need to ask this to Raspbian, not Debian.
> 
> Please give me a 2.nd try in this list. If it will become obviosly to be
> a problem of Raspbian I will change to them.

It's not a Raspbian “problem”, but yes, you're using Raspbian packages and
mirrors, not Debian's.
> 
> But by sudo "apt -o Acquire::http::AllowRedirect=false upgrade"
> I always got the following error messages after my confirm to install:
> 
> Err:1 http://raspbian.raspberrypi.org/raspbian stretch/main armhf
> libapt-pkg5.0 armhf 1.4.9
>   302  Found [IP: 93.93.128.193 80]

Yes, 302 is HTTP redirect code, and you asked to refuse redirects (in order to
prevent exploitation by an attacker). That's why it fails.
> 
> Besides according to your recommendation I tried this too:
> 
> deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main
> in /etc/apt/sources.list.

That's actually a bad idea I think. Raspbian rebuilds packages for a different
architecture: raspbian armhf is not Debian armhf, so it's not guaranteed to
work on any raspberry pi. Also don't try to upgrade using packages downloaded
from Debian, you really need to go to Raspbian for that.
> 
> But running an update command an error showed up that the key doesn't
> match, so this failed too.
> 
> So please let me know - what is your conclusion?
> 
> It's a question for Raspbian - and I should ask there now?

Yes, please contact them. I'm unsure if they published an advisory or
something though.

Regards,
- -- 
Yves-Alexis
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlxK2m0ACgkQ3rYcyPpX
RFtxdQf9GgPNtgvcBHsoZyYMVlR6AdG/xyvPhJwUcU+Nre6ME7+MnfMsdm5guGXc
aEWfaSSWaKh1A2Cb1bjkboYqLNMbXNVuK7ZPzisYLYuNwwROjZiDVZckBW6g36SC
bNumfcPzE6FkW8jFnJWtw/6KNUJkBd4b2Akjydl/Fd2uWFkXiLBXXhfQXKsAs7s2
CyWeggrlZIPsiHAh/FqSt82D4w3jXw+3oYkbuIDIz08GsMhtEuUmsCyw1tmZg0MH
Kc1Vda07myBydcYKt7K0r0TGrQJwmOidwlldvgVyxiAax1qMWvpIE6/6wlwllQLM
uoY2AcZAKU4+RZ6vIyGmRo6CwGB+Ag==
=qOcn
-END PGP SIGNATURE-

Re: Re: [SECURITY] [DSA 4371-1] apt security update

[Edgar Remmel]

Thanks a lot Yves-Alexis for reply and advice!

> Also it's likely that
> you need to ask this to Raspbian, not Debian.

Please give me a 2.nd try in this list. If it will become obviosly to be
a problem of Raspbian I will change to them.

> It would help to paste the exact error messages.

The command "sudo apt -o Acquire::http::AllowRedirect=false update" ran
fine.
By apt "list --upgradable" these 5 packages are displayed:

apt/stable 1.4.9 armhf [upgradable from: 1.4.8]
apt-transport-https/stable 1.4.9 armhf [upgradable from: 1.4.8]
apt-utils/stable 1.4.9 armhf [upgradable from: 1.4.8]
libapt-inst2.0/stable 1.4.9 armhf [upgradable from: 1.4.8]
libapt-pkg5.0/stable 1.4.9 armhf [upgradable from: 1.4.8]

But by sudo "apt -o Acquire::http::AllowRedirect=false upgrade"
I always got the following error messages after my confirm to install:

Err:1 http://raspbian.raspberrypi.org/raspbian stretch/main armhf
libapt-pkg5.0 armhf 1.4.9
  302  Found [IP: 93.93.128.193 80]
Err:2 http://raspbian.raspberrypi.org/raspbian stretch/main armhf
libapt-inst2.0 armhf 1.4.9
  302  Found [IP: 93.93.128.193 80]
Err:3 http://raspbian.raspberrypi.org/raspbian stretch/main armhf apt
armhf 1.4.9
  302  Found [IP: 93.93.128.193 80]
Err:4 http://raspbian.raspberrypi.org/raspbian stretch/main armhf
apt-utils armhf 1.4.9
  302  Found [IP: 93.93.128.193 80]
Err:5 http://raspbian.raspberrypi.org/raspbian stretch/main armhf
apt-transport-https armhf 1.4.9
  302  Found [IP: 93.93.128.193 80]
E: Failed to fetch
http://raspbian.raspberrypi.org/raspbian/pool/main/a/apt/libapt-pkg5.0_1.4.9_armhf.deb
 302  Found [IP: 93.93.128.193 80]
E: Failed to fetch
http://raspbian.raspberrypi.org/raspbian/pool/main/a/apt/libapt-inst2.0_1.4.9_armhf.deb
 302  Found [IP: 93.93.128.193 80]
E: Failed to fetch
http://raspbian.raspberrypi.org/raspbian/pool/main/a/apt/apt_1.4.9_armhf.deb
 302  Found [IP: 93.93.128.193 80]
E: Failed to fetch
http://raspbian.raspberrypi.org/raspbian/pool/main/a/apt/apt-utils_1.4.9_armhf.deb
 302  Found [IP: 93.93.128.193 80]
E: Failed to fetch
http://raspbian.raspberrypi.org/raspbian/pool/main/a/apt/apt-transport-https_1.4.9_armhf.deb
 302  Found [IP: 93.93.128.193 80]
E: Unable to fetch some archives, maybe run apt-get update or try with
--fix-missing?

I tried to use a command with --fix-missing but this didn't work. Maybe
I used the wrong syntax.

> Can you provide the links you used and the hash it gives you locally?

This was a second problem when I tried to solve it by manual
instalaltion. For the downloads I used the links you have posted and
found some dismatched hashes in these files:

apt-dbgsym_1.4.9_armhf.deb
Local Hash =
734604633a87aac1b6bdf1ded6ed9a398122be8654690e6acc9a195c3d6dab14

apt-utils-dbgsym_1.4.9_armhf.deb -
Local Hash =
42b07cdf359a7dcca06533bb3672039b62cd850a3f65d63f9a92ed6ed20537f1

libapt-inst2.0-dbgsym_1.4.9_armhf.deb
Local Hash =
35044d57c7832041eb212fdab5893dc168b25ab4f7f6f50e00a471ac9f7213dc

libapt-pkg5.0-dbgsym_1.4.9_armhf.deb
Local Hash =
d4e59e53e471b11c2bcd1ecf39f71bb50214b97ba492ba7b767301816266ce37

But meanwhile I see that I don't need those files because they are
obviosly not displayed by apt --upgradable list.
And the hashes for the 5 needed packages seem to match.

 > Try dpkg - -l |grep apt

dpkg --list |grep apt worked for me.

That's the result:

ii  apt 1.4.8armhf
 commandline package manager
ii  apt-listchanges 3.10 all
 package change history notification tool
ii  apt-transport-https 1.4.8armhf
 https download transport for APT
ii  apt-utils   1.4.8armhf
 package management related utility programs
ii  aptitude0.8.7-1  armhf
 terminal-based package manager
ii  aptitude-common 0.8.7-1  all
 architecture independent files for the aptitude package manager
ii  firmware-realtek1:20161130-3+rpt4all
 Binary firmware for Realtek wired/wifi/BT adapters
ii  libapt-inst2.0:armhf1.4.8armhf
 deb package format runtime library
ii  libapt-pkg5.0:armhf 1.4.8armhf
 package management runtime library
ii  python-apt-common   1.1.0~beta5  all
 Python interface to libapt-pkg (locales)
ii  python3-apt 1.1.0~beta5  armhf

Besides according to your recommendation I tried this too:

deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main
in /etc/apt/sources.list.

But running an update command an error showed up that the key doesn't
match, so this failed too.

So please let me know - what is your conclusion?

It's a question for Raspbian - and I should ask there now?
Or can I install the 5 upgrade files qouted above manually without
greater dan

Re: [SECURITY] [DSA 4371-1] apt security update

[Yves-Alexis Perez]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, 2019-01-24 at 15:08 +0100, Edgar Remmel wrote:
> Hello,

Hi Edgar,

adding debian-security mailing list since it's the proper place to ask about
his.
> 
> the above security update was linked by a security forum.
> 
> As the commands worked fine for my Linux system the upgrade command
> failed on my Raspberry Pi 3 (OS Rasbian lite based on Stretch stable)
> because unable to find the packages.

It would help to paste the exact error messages. But it's likely that your
sources use redirect and is thus broken by the option. Also it's likely that
you need to ask this to Raspbian, not Debian.
> 
> I downloaded the 11 files for armhf architecture to install them
> manually. But suprisingly for 4 files the hashes don't match:
> 
> apt-dbgsym_1.4.9_armhf.deb
> 
> apt-utils-dbgsym_1.4.9_armhf.deb
> 
> libapt-inst2.0-dbgsym_1.4.9_armhf.deb
> 
> libapt-pkg5.0-dbgsym_1.4.9_armhf.deb

Can you provide the links you used and the hash it gives you locally? My
feeling is that you try to download Raspbian packages which have been rebuilt
and thus you need to look at a Raspbian advisory.
> 
> Can I install the Architecutre independet files instead and do I need
> the Source archives for installing working correctly?
> possbl

You only need the updated version of the packages you already have. Try dpkg
- -l |grep apt to get that list.

Regards,
- -- 
Yves-Alexis
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlxJzc0ACgkQ3rYcyPpX
RFuJ9Qf+JL5i3rpshbjA0qPkEK2sI+E2h3jlXQv71gbkxJL9TRIRN+gyvgnMjF6o
Lg8IcOuebNlBf3mvMwpW++5fF5Mjrar3/BRXv/LvE+kww2tpvxdu8qb/XVAJ5WpZ
MWfbyHLOqcrB9GWuk5llFpMbLM8Ay+tL7WQI7b8ulLUgocf6CuxwPOA+f8r2jJHv
nvEtTn0sg99gIjB7xsOMBwgezX4PPMO4AZuop4j7qWD3xqmgkc9TT/NoZeM3FufG
/fA86k76LeatCxWkqahMV+K1i6dm9v6CkPOrWGyaSVYBi12/psJPo5q1MKeoO1qk
00Bzx7psFdl5n6DABCOIcuhatsRoJA==
=RCyT
-END PGP SIGNATURE-