You are not logged in.

#1 2019-01-23 06:24:26

dashingdon
Member
Registered: 2015-12-09
Posts: 14

[Resolved] Security : APT Vulnerability. Any impact to bunsen ?

https://www.theregister.co.uk/2019/01/2 … ger_flaws/

Thanks in advance.

-dash

Last edited by dashingdon (2019-01-23 07:14:17)

Offline

#2 2019-01-23 06:56:03

ohnonot
...again
Registered: 2015-09-29
Posts: 3,419
Website

Re: [Resolved] Security : APT Vulnerability. Any impact to bunsen ?

Thank you for reporting this.

When I saw your source I had a salty comment ready, but this looks legit.

FWIW, it ultimately points to this article: https://justi.cz/security/2019/01/22/apt-rce.html

back to theregister:

This unfortunately means a man-in-the-middle (MITM) miscreant who was able to intercept and tamper with a victim's network connection could potentially inject a redirect into the HTTP headers to change the URL used to fetch the package.

you decide how real the threat is for you.

Or rather was:

The Debian Project has patched a security flaw in its software manager Apt

Offline

#3 2019-01-23 06:58:04

ohnonot
...again
Registered: 2015-09-29
Posts: 3,419
Website

Re: [Resolved] Security : APT Vulnerability. Any impact to bunsen ?

anyhow, until the fix is installed you should update/grade like this:

$ sudo apt update -o Acquire::http::AllowRedirect=false
$ sudo apt upgrade -o Acquire::http::AllowRedirect=false

Offline

#4 2019-01-23 07:01:16

dashingdon
Member
Registered: 2015-12-09
Posts: 14

Re: [Resolved] Security : APT Vulnerability. Any impact to bunsen ?

Thank you ..!!

Offline

#5 2019-01-23 07:07:14

Bearded_Blunder
Member
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 602

Re: [Resolved] Security : APT Vulnerability. Any impact to bunsen ?

If you're worried, look here https://www.bunsenlabs.org/repositories.html
For a discussion of using HTTPS to eliminate the MITM possibility.

However, as the linked article says

Debian has released an update for Apt to address the vulnerability.

So as long as you're up to date you're covered.

ninja'd

Last edited by Bearded_Blunder (2019-01-23 07:09:47)


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#6 2019-01-23 07:13:44

dashingdon
Member
Registered: 2015-12-09
Posts: 14

Re: [Resolved] Security : APT Vulnerability. Any impact to bunsen ?

Just ran the update. Update pulled

The following packages will be upgraded:
  apt apt-transport-https apt-utils bunsen-keyring libapt-inst2.0 libapt-pkg5.0

Looks like I am set. Thanks for the help. Will mark it as resolved.

Offline

#7 2019-01-23 07:23:40

ohnonot
...again
Registered: 2015-09-29
Posts: 3,419
Website

Re: [Resolved] Security : APT Vulnerability. Any impact to bunsen ?

^ gotta love a well-maintained FOSS distro!

Offline

#8 2019-01-23 14:51:16

Sector11
Tpyo Knig
From: 77345 ¡#
Registered: 2015-08-20
Posts: 5,217

Re: [Resolved] Security : APT Vulnerability. Any impact to bunsen ?

Then there is this:

The D in SystemD stands for Dammmit... Security holes found in much-adored Linux toolkit


BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System:    Host: s12 Kernel: 3.16.0-4-amd64 x86_64 (64 bit gcc: 4.8.4)
Desktop: Openbox 3.5.2 dm: (startx) Distro: Debian GNU/Linux 8

Offline

#9 2019-01-23 14:58:46

Bearded_Blunder
Member
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 602

Re: [Resolved] Security : APT Vulnerability. Any impact to bunsen ?

Well compared to other init systems there's a *lot* of code for there to be errors in, and it's relatively new compared to what it replaced too, less time for said inevitable coding errors to be found, it'll get fixed & it does work.. I just don't like it and don't think I ever will.  But when it's been around as long as sysvinit.. it'll doubtless be at least as secure.

Debian will have patches out for the CVEs real quick if they're true to form, just like they did for APT, probably 3 times faster than say Gentoo, for all buster will have an older major version number.


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#10 2019-01-23 22:09:02

fnicoli
New Member
Registered: 2019-01-23
Posts: 1

Re: [Resolved] Security : APT Vulnerability. Any impact to bunsen ?

Hi, I'm still using Hydrogen and apt says 1.0.9.8.4 is the newest version for it.

Do I need to upgrade to Helium to get that fix?

Offline

#11 2019-01-23 22:36:05

twoion
ほやほや
Registered: 2015-08-10
Posts: 2,324

Re: [Resolved] Security : APT Vulnerability. Any impact to bunsen ?

fnicoli wrote:

Hi, I'm still using Hydrogen and apt says 1.0.9.8.4 is the newest version for it.

Do I need to upgrade to Helium to get that fix?

No the fixed version there is 1.0.9.8.5 (see https://packages.debian.org/search?suit … words=apt) and it should come through the regular update channels, as all other updates have.


Im grünen Wald, dort wo die Drossel singt…

Offline

Board footer

Powered by FluxBB