APT security issue

I was just about to ask the same question, and noticed you beat me to it. =)

On the Debian website a vulnerability in apt, DSA-4371, has been found. https://www.debian.org/security/2019/dsa-4371

“To disable redirects in order to prevent exploitation during this upgrade,” the Debian website recommends people to use these commands:

apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade

My current version of apt is 1.2.29. It seems like this vulnerability has been fixed in apt 1.4.9. I would just like to no longer be vulnerable to this “man-in-the-middle” attack. How should we, as Trisquel users, upgrade apt to no longer be vulnerable?

Is it safe to do the commands above and then just do $sudo apt-get update normally? Or is there a safer way to do so, such as manually downloading the files with wget/curl, verifying the hashes match, and installing them with dpkg -i?

I'm not sure how to go about an apt upgrade on Trisquel in a relatively safe way. Thanks in advance for any advice/instructions. :)

"My current version of apt is 1.2.29. It seems like this vulnerability has been fixed in apt 1.4.9."

That is incorrect. There isn't a single linear path here. Different versions of APT exist within different support distributions and all get updated. For example; see https://usn.ubuntu.com/3863-1/ where it was fixed in 4 different versions of APT:

Ubuntu 18.10
apt - 1.7.0ubuntu0.1
Ubuntu 18.04 LTS
apt - 1.6.6ubuntu0.1
Ubuntu 16.04 LTS
apt - 1.2.29ubuntu0.1
Ubuntu 14.04 LTS
apt - 1.0.1ubuntu2.19

Trisquel 8 is based on 16.04 which is why you see 1.2.29. The version with the fix will also have the version number of 1.2.29, as you can see there.

Also, adding the options to disallow redirects as mentioned on that page completely solves the problem until the updated package is available. So stick them in there and hold on. :)