New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apt vulnerability CVE-2019-3462 #4058

Closed
emkll opened this Issue Jan 23, 2019 · 0 comments

Comments

2 participants
@emkll
Copy link
Contributor

emkll commented Jan 23, 2019

Description

CVE-2019-3462 remote code execution in apt when following redirects:
https://justi.cz/security/2019/01/22/apt-rce.html

This would allow an adversary to execute arbitrary code on the server by exploiting a vulnerability in apt.

  • For apt served over http, this requires an attacker to either compromise the apt server or be in a privileged networked position.

  • For apt served over https, the require must compromise the apt server or be in a privileged network position AND have a valid HTTPS certificate.

deb.torproject.org and apt.freedom.press use https, however, archive.ubuntu.com does not.

Existing installs

Existing installs have already been upgraded to the latest version.

New installs

Before running any apt commands, apt should be updated with -o Acquire::http:AllowRedirect=false

@emkll emkll added the security label Jan 23, 2019

@emkll emkll self-assigned this Jan 23, 2019

@eloquence eloquence added this to Near Term Backlog in SecureDrop Team Board Jan 23, 2019

@redshiftzero redshiftzero added this to the 0.11.1 milestone Jan 23, 2019

@redshiftzero redshiftzero referenced this issue Jan 23, 2019

Closed

Release SecureDrop 0.11.1 #4060

13 of 13 tasks complete

@emkll emkll moved this from Near Term Backlog to Ready for review in SecureDrop Team Board Jan 23, 2019

SecureDrop Team Board automation moved this from Ready for review to Done Jan 24, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment