security: apt redirect bug

Stephen Partington cryptworks at gmail.com
Wed Jan 23 10:21:25 MST 2019 

Anyone know if Ubuntu has this update in place?


On Tue, Jan 22, 2019 at 10:32 PM Herminio Hernandez, Jr. <
herminio.hernandezjr at gmail.com> wrote:

> Thanks Hans!
>
> On Tue, Jan 22, 2019 at 10:08 PM der.hans <PLUGd at lufthans.com> wrote:
>
>> moin moin,
>>
>> a security flaw was discovered in apt that allows a remote man in the
>> middle attacker to inject a malicious package that will be installed by
>> root.
>>
>> Use '-o Acquire::http::AllowRedirect=false' option for apt tools to
>> disable the redirect that's vulnerable in order to install the updates.
>>
>> Also, use upgrade rather than dist-upgrade or full-upgrade for now to
>> prevent installation of packages that aren't already installed.
>>
>> In fact, perhaps look at the upgrade list and specifically install the apt
>> packages from it.
>>
>> Disabling AllowRedirect has been working for me with both debian and
>> Ubuntu.
>>
>> --
>>   apt -o Acquire::http::AllowRedirect=false update
>>   apt -o Acquire::http::AllowRedirect=false upgrade
>> --
>>
>> https://lists.debian.org/debian-security-announce/2019/msg00010.html
>>
>> ciao,
>>
>> der.hans
>> --
>> #  https://www.LuftHans.com   https://www.PhxLinux.org
>> #  ... All true wisdom is found on T-shirts.
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss



-- 
A mouse trap, placed on top of your alarm clock, will prevent you from
rolling over and going back to sleep after you hit the snooze button.

Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20190123/76c71f3a/attachment.html>

More information about the PLUG-discuss mailing list