Heads up: Debian's package manager is APT for root-level malware injection...

Message boards : Number crunching : Heads up: Debian's package manager is APT for root-level malware injection...
Message board moderation

To post messages, you must log in.

AuthorMessage
J. Mileski
Volunteer tester
Avatar

Send message
Joined: 9 Jun 02
Posts: 611
Credit: 156,586,576
RAC: 7,903
United States
Message 1976521 - Posted: 23 Jan 2019, 1:06:59 UTC

Disable redirects before applying update

$ sudo apt update -o Acquire::http::AllowRedirect=false
$ sudo apt upgrade -o Acquire::http::AllowRedirect=false


The Debian Project has patched a security flaw in its software manager Apt that can be exploited by network snoops to execute commands as root on victims' boxes as they update or install packages.

The Linux distro's curators have pushed out an fix to address CVE-2019-3462, a vulnerability uncovered and reported by researcher Max Justicz.

The flaw is related to the way Apt and apt-get handle HTTP redirects when downloading packages. Apt fetches packages over plain-old HTTP, rather than a more secure HTTPS connection, and uses cryptographic signatures to check whether the downloaded contents are legit and haven't been tampered with.
ID: 1976521 · Report as offensive
Profile Keith Myers Special Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 29 Apr 01
Posts: 9832
Credit: 921,768,312
RAC: 1,525,036
United States
Message 1976526 - Posted: 23 Jan 2019, 1:26:39 UTC

Already received an update for that CVE on Ubuntu 18.04 LTS today.
Seti@Home classic workunits:20,676 CPU time:74,226 hours
ID: 1976526 · Report as offensive

Message boards : Number crunching : Heads up: Debian's package manager is APT for root-level malware injection...


 
©2019 University of California
 
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.