Fw: [SECURITY] [DSA 4371-1] apt security update
On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote:
------------------------------------------------------------------------- Debian Security Advisory DSA-4371-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez January 22, 2019 https://www.debian.org/security/faq -------------------------------------------------------------------------
Package : apt CVE ID : CVE-2019-3462
Max Justicz discovered a vulnerability in APT, the high level package manager. The code handling HTTP redirects in the HTTP transport method doesn't properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicous content in the HTTP connection. This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine. [...]
(This presumably needs to be fixed fairly quickly in PureOS, if only for the PR.) What is the way to expedite this? Best wishes, -- Chris Lamb https://puri.sm
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tue, 2019-01-22 at 20:09 +0000, Chris Lamb wrote:
On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote:
----------------------------------------------------------------- -------- Debian Security Advisory DSA-4371-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez January 22, 2019 https://www.debian.org/security/faq ----------------------------------------------------------------- --------
Package : apt CVE ID : CVE-2019-3462
(This presumably needs to be fixed fairly quickly in PureOS, if only for the PR.)
What is the way to expedite this?
I will follow up and see where we are. I do know PureOS folks are aware of this issue.
Best wishes,
Regards, Jeremiah - -- GnuPG key fingerprint; 798D B834 436A 7BE3 8C97 422D 0DC0 6220 5451 931B -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEBkkHqXr+u7OUqMKseFgrT+6RsjkFAlxLJUwACgkQeFgrT+6R sjmwUgwAu/lhBzjwKHszhGFfw3ravASX+UkdKLcUKkt8uz1OEMiD60GrcMBVt0V5 oIN+ng7WJ+WtcQHXLe6ADrECtAtwlFJHYKAzIJo6fkC6vhpOBIqj33vmUGI+jEAD vAbCsenol9SQpkvL9TDRJhXV3pQjmP2ybz7Bi6tg2T9yQVNRrnr2eKFfEnxUfsI4 g+/7q66x0m3CnSTvR3EXbF3xD+3gQ3sR0z8It3dIHb7aoEDMvEgWj6uF6HR6mq/q 2iKgcQbSeqh7TDTTljXTk+K5mb9CGAjtUEyz3BK9T48VCSBna8ogZrGuHDV+vqWH DNRhv+nuqIf7BgihDvMGcUAfufZCNb+BpZ+6xNp9jBlRmoeisxoEAwRxpyKH6uqc LdemnjpwWaqlPy5nVXTtVdMT7fAIF8h3j4Xyzav8L4bhNmoquF1q8UuDPQSqj3fB wBcz2PWjtJ3zdtS1Xj5XqXV5R0Nbxns343oIM84ovebqb3n9xsj36uLu4yTOqAMA wm8Yt0NQ =t+et -----END PGP SIGNATURE-----
participants (2)
-
Chris Lamb -
Jeremiah C. Foster