[PureOS] Fw: [SECURITY] [DSA 4371-1] apt security update
Chris Lamb
chris.lamb at puri.sm
Tue Jan 22 12:09:49 PST 2019
On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote:
> -------------------------------------------------------------------------
> Debian Security Advisory DSA-4371-1 security at debian.org
> https://www.debian.org/security/ Yves-Alexis Perez
> January 22, 2019 https://www.debian.org/security/faq
> -------------------------------------------------------------------------
>
> Package : apt
> CVE ID : CVE-2019-3462
>
> Max Justicz discovered a vulnerability in APT, the high level package manager.
> The code handling HTTP redirects in the HTTP transport method doesn't properly
> sanitize fields transmitted over the wire. This vulnerability could be used by
> an attacker located as a man-in-the-middle between APT and a mirror to inject
> malicous content in the HTTP connection. This content could then be recognized
> as a valid package by APT and used later for code execution with root
> privileges on the target machine.
> [...]
(This presumably needs to be fixed fairly quickly in PureOS, if only
for the PR.)
What is the way to expedite this?
Best wishes,
--
Chris Lamb
https://puri.sm
More information about the Pureos-project
mailing list