On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote:

---

Debian Security Advisory DSA-4371-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez January 22, 2019 https://www.debian.org/security/faq

---

Package : apt CVE ID : CVE-2019-3462

Max Justicz discovered a vulnerability in APT, the high level package manager. The code handling HTTP redirects in the HTTP transport method doesn't properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicous content in the HTTP connection. This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine. [...]

(This presumably needs to be fixed fairly quickly in PureOS, if only for the PR.)

What is the way to expedite this?

Best wishes,