![[BunsenLabs Logo]](/img/bl.svg)
You are not logged in.
- Topics: Active | Unanswered
#1 2019-01-23 06:24:26
- dashingdon
- Member
- Registered: 2015-12-09
- Posts: 41
[Resolved] Security : APT Vulnerability. Any impact to bunsen ?
https://www.theregister.co.uk/2019/01/2 … ger_flaws/
Thanks in advance.
-dash
Last edited by dashingdon (2019-01-23 07:14:17)
Offline
#2 2019-01-23 06:56:03
- ohnonot
- ...again
- Registered: 2015-09-29
- Posts: 5,592
Re: [Resolved] Security : APT Vulnerability. Any impact to bunsen ?
Thank you for reporting this.
When I saw your source I had a salty comment ready, but this looks legit.
FWIW, it ultimately points to this article: https://justi.cz/security/2019/01/22/apt-rce.html
back to theregister:
This unfortunately means a man-in-the-middle (MITM) miscreant who was able to intercept and tamper with a victim's network connection could potentially inject a redirect into the HTTP headers to change the URL used to fetch the package.
you decide how real the threat is for you.
Or rather was:
The Debian Project has patched a security flaw in its software manager Apt
Offline
#3 2019-01-23 06:58:04
- ohnonot
- ...again
- Registered: 2015-09-29
- Posts: 5,592
Re: [Resolved] Security : APT Vulnerability. Any impact to bunsen ?
anyhow, until the fix is installed you should update/grade like this:
$ sudo apt update -o Acquire::http::AllowRedirect=false
$ sudo apt upgrade -o Acquire::http::AllowRedirect=falseOffline
#4 2019-01-23 07:01:16
- dashingdon
- Member
- Registered: 2015-12-09
- Posts: 41
Re: [Resolved] Security : APT Vulnerability. Any impact to bunsen ?
Thank you ..!!
Offline
#5 2019-01-23 07:07:14
- Bearded_Blunder
- Dodging A Bullet
- From: Seat: seat0; vc7
- Registered: 2015-09-29
- Posts: 1,146
Re: [Resolved] Security : APT Vulnerability. Any impact to bunsen ?
If you're worried, look here https://www.bunsenlabs.org/repositories.html
For a discussion of using HTTPS to eliminate the MITM possibility.
However, as the linked article says
Debian has released an update for Apt to address the vulnerability.
So as long as you're up to date you're covered.
ninja'd
Last edited by Bearded_Blunder (2019-01-23 07:09:47)
Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me
Offline
#6 2019-01-23 07:13:44
- dashingdon
- Member
- Registered: 2015-12-09
- Posts: 41
Re: [Resolved] Security : APT Vulnerability. Any impact to bunsen ?
Just ran the update. Update pulled
The following packages will be upgraded:
apt apt-transport-https apt-utils bunsen-keyring libapt-inst2.0 libapt-pkg5.0
Looks like I am set. Thanks for the help. Will mark it as resolved.
Offline
#7 2019-01-23 07:23:40
- ohnonot
- ...again
- Registered: 2015-09-29
- Posts: 5,592
Re: [Resolved] Security : APT Vulnerability. Any impact to bunsen ?
^ gotta love a well-maintained FOSS distro!
Offline
#8 2019-01-23 14:51:16
- Sector11
- Mod Squid Tpyo Knig
- From: Upstairs
- Registered: 2015-08-20
- Posts: 8,030
Re: [Resolved] Security : APT Vulnerability. Any impact to bunsen ?
Then there is this:
The D in SystemD stands for Dammmit... Security holes found in much-adored Linux toolkit
Debian 12 Beardog, SoxDog and still a Conky 1.9er
Offline
#9 2019-01-23 14:58:46
- Bearded_Blunder
- Dodging A Bullet
- From: Seat: seat0; vc7
- Registered: 2015-09-29
- Posts: 1,146
Re: [Resolved] Security : APT Vulnerability. Any impact to bunsen ?
Well compared to other init systems there's a *lot* of code for there to be errors in, and it's relatively new compared to what it replaced too, less time for said inevitable coding errors to be found, it'll get fixed & it does work.. I just don't like it and don't think I ever will. But when it's been around as long as sysvinit.. it'll doubtless be at least as secure.
Debian will have patches out for the CVEs real quick if they're true to form, just like they did for APT, probably 3 times faster than say Gentoo, for all buster will have an older major version number.
Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me
Offline
#10 2019-01-23 22:09:02
- fnicoli
- New Member
- From: Brazil
- Registered: 2019-01-23
- Posts: 3
Re: [Resolved] Security : APT Vulnerability. Any impact to bunsen ?
Hi, I'm still using Hydrogen and apt says 1.0.9.8.4 is the newest version for it.
Do I need to upgrade to Helium to get that fix?
Offline
#11 2019-01-23 22:36:05
- nobody
- The Great
- Registered: 2015-08-10
- Posts: 3,655
Re: [Resolved] Security : APT Vulnerability. Any impact to bunsen ?
Hi, I'm still using Hydrogen and apt says 1.0.9.8.4 is the newest version for it.
Do I need to upgrade to Helium to get that fix?
No the fixed version there is 1.0.9.8.5 (see https://packages.debian.org/search?suit … words=apt) and it should come through the regular update channels, as all other updates have.
Offline