APT security issue

5 replies [Last post]
Sasaki
Offline
Joined: 08/11/2014

Hello,

how about a fix for that ?

https://lists.debian.org/debian-security-announce/2019/msg00010.html

Has it already been published and I missed it ?
Is it planned ?

Xorux
Offline
Joined: 12/14/2017

I was just about to ask the same question, and noticed you beat me to it. =)

On the Debian website a vulnerability in apt, DSA-4371, has been found. https://www.debian.org/security/2019/dsa-4371

“To disable redirects in order to prevent exploitation during this upgrade,” the Debian website recommends people to use these commands:

apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade

My current version of apt is 1.2.29. It seems like this vulnerability has been fixed in apt 1.4.9. I would just like to no longer be vulnerable to this “man-in-the-middle” attack. How should we, as Trisquel users, upgrade apt to no longer be vulnerable?

Is it safe to do the commands above and then just do $sudo apt-get update normally? Or is there a safer way to do so, such as manually downloading the files with wget/curl, verifying the hashes match, and installing them with dpkg -i?

I'm not sure how to go about an apt upgrade on Trisquel in a relatively safe way. Thanks in advance for any advice/instructions. :)

jxself
Offline
Joined: 09/13/2010

"My current version of apt is 1.2.29. It seems like this vulnerability has been fixed in apt 1.4.9."

That is incorrect. There isn't a single linear path here. Different versions of APT exist within different support distributions and all get updated. For example; see https://usn.ubuntu.com/3863-1/ where it was fixed in 4 different versions of APT:

Ubuntu 18.10
apt - 1.7.0ubuntu0.1
Ubuntu 18.04 LTS
apt - 1.6.6ubuntu0.1
Ubuntu 16.04 LTS
apt - 1.2.29ubuntu0.1
Ubuntu 14.04 LTS
apt - 1.0.1ubuntu2.19

Trisquel 8 is based on 16.04 which is why you see 1.2.29. The version with the fix will also have the version number of 1.2.29, as you can see there.

Also, adding the options to disallow redirects as mentioned on that page completely solves the problem until the updated package is available. So stick them in there and hold on. :)

chaosmonk

I am a member!

I am a translator!

Offline
Joined: 07/07/2017

> Ubuntu 16.04 LTS
> apt - 1.2.29ubuntu0.1

Can you help me make sure I'm parsing this right? The "ubuntu0.1" in the
version number indicates Ubuntu changes to the version from Debian. The
version in the Trisquel repo is

$ apt policy apt
apt:
Installed: 1.2.29+8.0trisquel2

The "8.0trisquel2" indicates Trisquel changes to the upstream version,
but the absence of "ubuntu" means that there are no Ubuntu changes to
the Debian version. Therefore, we will know that the issue is fixed in
Trisquel when we see something resembling

$ apt policy apt
apt:
Installed: 1.2.29ubuntu0.1+8.0trisquel2

Is that right?

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

I believe you are right. Version 1.2.29ubuntu0.1 was published on 2019-01-22: https://launchpad.net/ubuntu/+source/apt/1.2.29ubuntu0.1

Taking a look at /var/log/apt/history.log and /var/log/apt/history.log.1.gz, I see no update of the apt package since then.

jxself
Offline
Joined: 09/13/2010

"Therefore, we will know that the issue is fixed in Trisquel when we see something resembling"

I think you're right, and in the meantime concerned persons can just tell their package manager to not follow redirects.