ESB-2019.0182 - ALERT [UNIX/Linux][Debian] apt: Root compromise - Remote/unauthenticated 2019-01-23

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0182
                            apt security update
                              23 January 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           apt
Publisher:         Debian
Operating System:  Debian GNU/Linux
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Root Compromise                -- Remote/Unauthenticated
                   Access Privileged Data         -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-3462  

Original Bulletin: 
   http://www.debian.org/security/2019/dsa-4371

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running apt check for an updated version of the software for their 
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4371-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
January 22, 2019                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : apt
CVE ID         : CVE-2019-3462

Max Justicz discovered a vulnerability in APT, the high level package manager.
The code handling HTTP redirects in the HTTP transport method doesn't properly
sanitize fields transmitted over the wire. This vulnerability could be used by
an attacker located as a man-in-the-middle between APT and a mirror to inject
malicous content in the HTTP connection. This content could then be recognized
as a valid package by APT and used later for code execution with root
privileges on the target machine.

Since the vulnerability is present in the package manager itself, it is
recommended to disable redirects in order to prevent exploitation during this
upgrade only, using:

 apt -o Acquire::http::AllowRedirect=false update
 apt -o Acquire::http::AllowRedirect=false upgrade

This is known to break some proxies when used against security.debian.org. If
that happens, people can switch their security APT source to use:

 deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main

For the stable distribution (stretch), this problem has been fixed in
version 1.4.9.

We recommend that you upgrade your apt packages.

Specific upgrade instructions:

If upgrading using APT without redirect is not possible in your situation, you
can manually download the files (using wget/curl) for your architecthttp://www.debian.org/security/2019/dsa-4371ure using
the URL provided below, verifying that the hashes match. Then you can install
them using dpkg -i.

Source archives:

http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9.dsc
	Size/SHA256 checksum:	2549	986d98b00caac809341f65acb3d14321d645ce8e87e411c26c66bf149a10dfea
http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9.tar.xz
	Size/SHA256 checksum:	2079572	d4d65e7c84da86f3e6dcc933bba46a08db429c9d933b667c864f5c0e880bac0d

Architecture independent files:

http://security.debian.org/pool/updates/main/a/apt/apt-doc_1.4.9_all.deb
	Size/SHA256 checksum:	365094	8880640591f64ab7b798f0421d18cba618512ca61ed7c44fbbbb6140423551d5
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-doc_1.4.9_all.deb
	Size/SHA256 checksum:	1004234	42f4c5945c4c471c3985db1cec7adcac516cc21a497a438f3ea0a2bfa7ffe036

amd64 architecture:

http://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_amd64.deb
	Size/SHA256 checksum:	4450936	1da507155c7b1ad140739c62fdacceaf5b5ee3765b1a00c3a3527d9d82a8d533
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_amd64.deb
	Size/SHA256 checksum:	292612	59f3e1c91664fe3b47048794560ebe9c41f1eeccbdd95f7715282f8cbe449060
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_amd64.deb
	Size/SHA256 checksum:	170820	c8c4366d1912ff8223615891397a78b44f313b0a2f15a970a82abe48460490cb
http://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_amd64.deb
	Size/SHA256 checksum:	1289344	e3e157c291b05b2899a545331c7597ab36ca04e02cd9010562b9985b76af60db
http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_amd64.deb
	Size/SHA256 checksum:	409958	fb227d1c4615197a6263e7312851ac3601d946221cfd85f20427a15ab9658d15
http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_amd64.deb
	Size/SHA256 checksum:	1231594	dddf4ff686845b82c6c778a70f1f607d0bb9f8aa43f2fb7983db4ff1a55f5fae
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_amd64.deb
	Size/SHA256 checksum:	221646	0e66db1f74827f06c55ac36cc961e932cd0a9a6efab91b7d1159658bab5f533e
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4.9_amd64.deb
	Size/SHA256 checksum:	192382	a099c57d20b3e55d224433b7a1ee972f6fdb79911322882d6e6f6a383862a57d
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4.9_amd64.deb
	Size/SHA256 checksum:	235220	cfb0a03ecd22aba066d97e75d4d00d791c7a3aceb2e5ec4fbee7176389717404
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0-dbgsym_1.4.9_amd64.deb
	Size/SHA256 checksum:	6076102	cdb03ddd57934e773a579a89f32f11567710a39d6ac289e73efb20e8825874d1
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4.9_amd64.deb
	Size/SHA256 checksum:	916448	03281e3d1382826d5989c12c77a9b27f5f752b0f6aa28b524a2df193f7296e0b

arm64 architecture:

http://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_arm64.deb
	Size/SHA256 checksum:	4420208	c20e28d760cf99005ef16851f3f0c25b576ceaf6e6658a233066800a98c00025
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_arm64.deb
	Size/SHA256 checksum:	288966	6e72a2123194ac5bb678305a67ac9cd4e5ca1df3771f753e4e29bed5e64f82f6
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_arm64.deb
	Size/SHA256 checksum:	167674	6635e174290f89555a2eb9cbc083b1fa566b2cd65318212c8c760b87bfb2c544
http://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_arm64.deb
	Size/SHA256 checksum:	1269592	8c1970c394c6606f867ef97dd252fdb0aad0c3d2836905d7fcf9c099c55daaaf
http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_arm64.deb
	Size/SHA256 checksum:	401136	f7e95f4fbc94409ff4dceb16626beb6cd0eecff5e6982e1bf808af014ea7331f
http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_arm64.deb
	Size/SHA256 checksum:	1202864	54abf458ed6b78f56638771fa30cdc9e482469cc0e2dfc2146b3606ea22a3449
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_arm64.deb
	Size/SHA256 checksum:	220694	8ca1d140c34e5c3b9155cd5e3d7946338c7f5e34794f54cfeae1fd12c213a5e7
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4.9_arm64.deb
	Size/SHA256 checksum:	191188	27d1254e03a80f77458e2c2aceb097c9a85e9cefb4623643a1e25b45e0b889ae
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4.9_arm64.deb
	Size/SHA256 checksum:	235220	3f046e34009db988edd4e0474b13100ba92adf3beac16456785ee16940b51f2d
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0-dbgsym_1.4.9_arm64.deb
	Size/SHA256 checksum:	5994222	0dac2646923b74f9b73b239abee516cc312aabce30fe3fa8d59d1686ba6bae35
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4.9_arm64.deb
	Size/SHA256 checksum:	855612	c3b333927f340bb044ec44f2bfe2abced35ebb3e91457ae91249d26058e7b796

armel architecture:

http://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_armel.deb
	Size/SHA256 checksum:	4350626	75be53df402a454a4f46c524097addcb7257d3c4505c013af91bd691c656ceb6
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_armel.deb
	Size/SHA256 checksum:	281070	99485a41192493e3ec8e77e02a31169551e61b26e11af3379de28629a5d38942
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_armel.deb
	Size/SHA256 checksum:	165820	179bcd2457beb0c8449101684c40dc94c9882166b17d584162109928d124cffc
http://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_armel.deb
	Size/SHA256 checksum:	1251850	52a396be4fb97bc8b3ee2b9b1e1e8ce22bf7572a78e21925034151593d661744
http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_armel.deb
	Size/SHA256 checksum:	394280	90f760e7480582bcabc2a2f50a44a2d1f5ce4070370295832bc82424887e5289
http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_armel.deb
	Size/SHA256 checksum:	1190316	862ba546c54b66732d2a2d17b44aa4d20109f2bd4ba158d62d158ba190eed649
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_armel.deb
	Size/SHA256 checksum:	219874	52e2e61fa55dfaf76cc93ebde71a4c3cebfa322088f4815ac5b5ddce272c1f06
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4.9_armel.deb
	Size/SHA256 checksum:	189878	531e3a673d24b3ae79babc5110d3b27cdbd7a274c0839ff650d691d88d28d8d7
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4.9_armel.deb
	Size/SHA256 checksum:	235218	46ecb77704fb8957505d96bdfa7c1f190559914ad96297a6b15609ed1a1a24d9
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0-dbgsym_1.4.9_armel.deb
	Size/SHA256 checksum:	5907742	17584936819ecd802f395648da292e3bc8053bffeab1c2d23347b960114282dd
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4.9_armel.deb
	Size/SHA256 checksum:	829040	6d2ca52d1823ca3100a2bc3d98ed15aca5af1b59203006794b8e8cb4575433b0

armhf architecture:

http://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_armhf.deb
	Size/SHA256 checksum:	4350882	79df1b6169ff455737b48f3d2d9cab7c8b0894fe403aa0a3505affb964d02dca
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_armhf.deb
	Size/SHA256 checksum:	281494	cd9a5535e94d692a654730da247be59b711cab8dddeee6fea3ded9de1bf50370
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_armhf.deb
	Size/SHA256 checksum:	166962	523bf76fd9ee262b08fb04ce2afcd5c0d4e81087c111f31179f5ec2882bbbe93
http://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_armhf.deb
	Size/SHA256 checksum:	1250920	c0ff4f85f854b3abcc93396bfa724e5866ab4f39a758f5667f93e037b162d34e
http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_armhf.deb
	Size/SHA256 checksum:	397912	4d4699621974098a2d7d1d76c4ee5995e0a56c40a336bbc008308f799cc6bc77
http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_armhf.deb
	Size/SHA256 checksum:	1198550	0d2b46b839041ac660a33bb17477e66a5317690135346a9a616dfb2efc07906d
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_armhf.deb
	Size/SHA256 checksum:	219930	9cc01feb0ce145252762cb37a850e6ee47fd3808928c83e4505743b5b17206b4
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4.9_armhf.deb
	Size/SHA256 checksum:	189906	37acb514874d95cd39991ff0c759bf17ba2d7f1af746b5e0767b1ee2da52f892
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4.9_armhf.deb
	Size/SHA256 checksum:	235220	2596fbe7bbad28d57374a2ab6278e9be7cb01e0eee4733f66b76a62492db46e8
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0-dbgsym_1.4.9_armhf.deb
	Size/SHA256 checksum:	5898652	0d47eba6a4969882773f0fe40bc90bd6893cac9268fcbfcc4041ac92b81fbc8f
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4.9_armhf.deb
	Size/SHA256 checksum:	851386	a7619b4cf5b6205bae21cd25fcc8a856dc108e9f1be6c48e246379f157dc8703

i386 architecture:

http://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_i386.deb
	Size/SHA256 checksum:	4311264	8c5fb2a184aaf8b6953fcee262b130ab83ef90f5a5732b44102e7afc089f7163
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_i386.deb
	Size/SHA256 checksum:	281510	0a8f4895ceac461862c09b74a8b441e9ab41fcd06d00998ed6301f6ab7f7eb51
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_i386.deb
	Size/SHA256 checksum:	174508	1e7a22d8f976f56ace375e7e02e19b2629a68e6e28c71d9b9126aa0ac3d3175c
http://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_i386.deb
	Size/SHA256 checksum:	1238936	c97d47e8b0e6edab7c3a77b1bd8381b92e926fbfd091585bdb881e741d2f5702
http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_i386.deb
	Size/SHA256 checksum:	421244	25835d5ae4330608421ac4cc6e5c938d36590b55f88bae8ba49b8ce95f3edee1
http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_i386.deb
	Size/SHA256 checksum:	1263876	e5ce4790d6565634199199f6bf1d29986468603748aa56d135067ae878416649
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_i386.deb
	Size/SHA256 checksum:	214690	8dd9a9359f8cc74e192cb4577ac996a907c643079673e0f0d4fb8949cc4c559c
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4.9_i386.deb
	Size/SHA256 checksum:	194534	5937ffef18ef22271a616d32388b50a06ee0ce6ccab90ca870548b9aa5b29e32
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4.9_i386.deb
	Size/SHA256 checksum:	235220	0b045d17a2b45aa59b55c6c5ccd47f738e2edeb189cd892d710f0e35b4d09b27
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0-dbgsym_1.4.9_i386.deb
	Size/SHA256 checksum:	5832816	82f9dcb1f298b98cce99bf4c80befe9412487479796239f1121baa1c5fe6bb58
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4.9_i386.deb
	Size/SHA256 checksum:	989166	16e6470005d25741a9bf39c02ba3f287fda0a66dda8a5859c0efa24a97f56351

mips64el architecture:

http://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_mips64el.deb
	Size/SHA256 checksum:	4477316	3130466b56438f0138940c08ca0c9da9dbdbf971e482079f7ca7444d5af872a6
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_mips64el.deb
	Size/SHA256 checksum:	296826	9d74c4cb898ed72619ba2a1bf1f0906fa08224dbbe635d2bdedf15d0fd1ad282
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_mips64el.deb
	Size/SHA256 checksum:	168898	c3af79ed48010edb558d1e80b1a6ee182c66e234506de96c056844743234c9ba
http://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_mips64el.deb
	Size/SHA256 checksum:	1282904	86c5ff537b95d0d41dfb0b0685f4df4fbecea1651a98845f4fec82b3cc306dd4
http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_mips64el.deb
	Size/SHA256 checksum:	407486	d634b98ae56c7d4e8640fbdb515a17a53d86a3f53a1890edbc40085fa2e6b1be
http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_mips64el.deb
	Size/SHA256 checksum:	1212204	d9d44ffb8b1860071908267ebda728e8d1086fc911eb66e16f52de07547af6da
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_mips64el.deb
	Size/SHA256 checksum:	222390	f357f23f332a543f342c19aa322e02f4cb6557a688ad2dc18ea8abcab871eeb0
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4.9_mips64el.deb
	Size/SHA256 checksum:	192760	6d3fc127c587cce8de194ea7976e3c2664515f5c7959428d89c0d01affcf8567
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4.9_mips64el.deb
	Size/SHA256 checksum:	235226	30b6ae87ecb434fb008760d2ccd29c2f70cbd44a130eb4731b040d8893dfc909
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0-dbgsym_1.4.9_mips64el.deb
	Size/SHA256 checksum:	6088584	295239f32bde382a348384167d46804ce260b96119ffa6b917c5951181e9e92a
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4.9_mips64el.deb
	Size/SHA256 checksum:	850490	51e697b30b4f9f5ff0d942e04fb48962e6ae9a898d6bd165d16733c064325fd8

mips architecture:

http://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_mips.deb
	Size/SHA256 checksum:	4392432	b9fe6f619cc83779f1d5902400364e0bfc4b6e1c5d5fbd51b7080b8fcc84e64b
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_mips.deb
	Size/SHA256 checksum:	295018	d0d607cbdc2f371c283b103111525711a602fa85b4c7a7bbe279178c8d67836c
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_mips.deb
	Size/SHA256 checksum:	169328	4e9b54777d8c2a5813fa8e4aa395a91b587edd33f4ef661898ada4cbc8943197
http://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_mips.deb
	Size/SHA256 checksum:	1253318	dcd73eb8b89417c1a940501657fed7cdeea5385178770190b41d92fb6bf49e86
http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_mips.deb
	Size/SHA256 checksum:	408388	8a834ddee8e6182de5768e12564137eb063bee6b1918d4c08c88b9c11a4cb856
http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_mips.deb
	Size/SHA256 checksum:	1212756	ea41a5c84b953bb818a6779a141efdcd3e2b46c895eb64e9c0e11d49755bf256
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_mips.deb
	Size/SHA256 checksum:	192358	33f8fa97ea56e5f07d403fd0df87b43285823880d9d3f6fd22abbf239a9d5c56
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4.9_mips.deb
	Size/SHA256 checksum:	192556	2e09a9207914f215686a6b305a0e46bbdeb46c18ba9ea9115631ed216a2896cb
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4.9_mips.deb
	Size/SHA256 checksum:	235216	2c582528fb38966de60476e2121037a80d3357fd95cc8e1453c3e5a52d030655
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0-dbgsym_1.4.9_mips.deb
	Size/SHA256 checksum:	6019436	348b9ffc965c7a7e04335c5eb3621f65a27fabf46b1fa12f59582fa43cbe480f
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4.9_mips.deb
	Size/SHA256 checksum:	858768	125dcd2c1e284600a94a5a471a96534c03e55c9c3091ad06b8d5bfef4d65a574

mipsel architecture:

http://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_mipsel.deb
	Size/SHA256 checksum:	4239176	e0b0722222426833d2d603a15a91b170213f6aae2ff12551bd81b31323e9f67f
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_mipsel.deb
	Size/SHA256 checksum:	285552	9f56461f5f974b07d25845c11df09307d68e698e4ad58bacec871fa3d0e9acbd
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_mipsel.deb
	Size/SHA256 checksum:	169958	cea079260b61817bb6163c3268e6714e09326777d8bbc2b70de7bc6f8cf9ef33
http://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_mipsel.deb
	Size/SHA256 checksum:	1209848	e58957b39f234048f64fc18c9942d2f52d53c4a60f42c349a65c0ff27a553a04
http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_mipsel.deb
	Size/SHA256 checksum:	409708	5f95e0433899d05bceb8150a02ee444cc42476a0c81eb35ed43402a0f4f7f5fd
http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_mipsel.deb
	Size/SHA256 checksum:	1218954	6eaf9b8d9e0239d2ffcce046892bf0d0553688dfd5e44332c0dbe84a66648545
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_mipsel.deb
	Size/SHA256 checksum:	185796	6b68ea266213de56b7eb5253a0d5f770c95234a5f2d4e2847f78d4913c2e735b
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4.9_mipsel.deb
	Size/SHA256 checksum:	192822	59c2dcfe8e23f63cd201777a11b45d5833045ada44b616ed059d223cee99311a
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4.9_mipsel.deb
	Size/SHA256 checksum:	235216	7fe6c1f8074bff4a29a2988556295ef558b5650edd66145866957e2528c92f7e
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0-dbgsym_1.4.9_mipsel.deb
	Size/SHA256 checksum:	5783676	6c4d9f99a16b091672016fd4fe21156e2a4daafb3debfb674c9472f1407a30eb
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4.9_mipsel.deb
	Size/SHA256 checksum:	869792	2abb3afa5689f3dd0461b998449934ce06ced68ef6cdc8e4e121196f40bd30e6

ppc64el architecture:

http://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_ppc64el.deb
	Size/SHA256 checksum:	4471286	916a6677f1d6b82160a82d5b5265df9a00f5f0f3ef34807a1a5673c0b2d1f2a3
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_ppc64el.deb
	Size/SHA256 checksum:	297220	b973d349639fd8acbc9f99c819987cbd15211ee69a7239c3ae1f558ccd46729e
http://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_ppc64el.deb
	Size/SHA256 checksum:	169566	9de5b780e0e0d381bb1f1cfbff5626e36bae7df6ca25f6c49affc650b88cd152
http://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_ppc64el.deb
	Size/SHA256 checksum:	1281378	08fc480c70dda285f87d591da10ba0d341569fe9eee1f6db0544fa7234f13632
http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_ppc64el.deb
	Size/SHA256 checksum:	406494	5f66c194b5897c490212c15806821d6f924c1353b5031a11383f3b2ebb25d44c
http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_ppc64el.deb
	Size/SHA256 checksum:	1221036	b6235daa430bd3e6df37855fd8fcebe057c187335c9e45744e35694600475495
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_ppc64el.deb
	Size/SHA256 checksum:	221220	af22feaa8ba661ab283580ab1388eec097980fb1b0f11f13a84df45ca78673ee
http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4.9_ppc64el.deb
	Size/SHA256 checksum:	192604	92d4290b343ada2eaca425f09d56d2767b0bca5221957477515fdb9391497fa8
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4.9_ppc64el.deb
	Size/SHA256 checksum:	235222	e6ef81e5f61383584aba546056f43458cd83d1d56a96087301ba0454efdd3941
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0-dbgsym_1.4.9_ppc64el.deb
	Size/SHA256 checksum:	6091540	26a675b4dbf0e69207080f11c1a7e7931cc487d8087b9ce8f200d4fcbdc80fd7
http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4.9_ppc64el.deb
	Size/SHA256 checksum:	888440	0f2987f64499f3b3f15f2d560d2d41ddc71986e557e94a20ea02af4c71481b47

For the detailed security status of apt please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/apt

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

- --------------------------------------------------------------------------------

Package        : apt
Version        : 1.0.9.8.5
CVE ID         : CVE-2019-3462
Debian Bug     :

(amended to refer to jessie in the sources.list entry below, instead of
 stable)

Max Justicz discovered a vulnerability in APT, the high level package manager.
The code handling HTTP redirects in the HTTP transport method doesn't properly
sanitize fields transmitted over the wire. This vulnerability could be used by
an attacker located as a man-in-the-middle between APT and a mirror to inject
malicous content in the HTTP connection. This content could then be recognized
as a valid package by APT and used later for code execution with root
privileges on the target machine.

Since the vulnerability is present in the package manager itself, it is
recommended to disable redirects in order to prevent exploitation during this
upgrade only, using:

 apt -o Acquire::http::AllowRedirect=false update
 apt -o Acquire::http::AllowRedirect=false upgrade

This is known to break some proxies when used against security.debian.org. If
that happens, people can switch their security APT source to use:

 deb http://cdn-fastly.deb.debian.org/debian-security jessie/updates main

For Debian 8 "Jessie", this problem has been fixed in version
1.0.9.8.5.

We recommend that you upgrade your apt packages.

Specific upgrade instructions:

If upgrading using APT without redirect is not possible in your situation, you
can manually download the files (using wget/curl) for your architecture using
the URL provided below, verifying that the hashes match. Then you can install
them using dpkg -i.

Architecture independent files:

http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-doc_1.0.9.8.5_all.deb
        Size/SHA256 checksum:    301106 47df9567e45fadcd2a56c0fd3d514d8136f2f206aa7baa47405c6fcb94824ab6
http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-doc_1.0.9.8.5_all.deb
        Size/SHA256 checksum:    750506 ce79b2ef272716b8da11f3fd0497ce0b7ee69c9c66d01669e8abbbfdde5e6256

amd64 architecture:

http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_amd64.deb
        Size/SHA256 checksum:    792126 295d9c69854a4cfbcb46001b09b853f5a098a04c986fc5ae01a0124c1c27e6bd
http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-inst1.5_1.0.9.8.5_amd64.deb
        Size/SHA256 checksum:    168896 f9615532b1577b3d1455fa51839ce91765f2860eb3a6810fb5e0de0c87253030
http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_amd64.deb
        Size/SHA256 checksum:   1109308 4078748632abc19836d045f80f9d6933326065ca1d47367909a0cf7f29e7dfe8
http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-dev_1.0.9.8.5_amd64.deb
        Size/SHA256 checksum:    192950 09ef86d178977163b8cf0081d638d74e0a90c805dd77750c1d91354b6840b032
http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-utils_1.0.9.8.5_amd64.deb
        Size/SHA256 checksum:    368396 87c55d9ccadcabd59674873c221357c774020c116afd978fb9df6d2d0303abf2
http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-transport-https_1.0.9.8.5_amd64.deb
        Size/SHA256 checksum:    137230 f5a17422fd319ff5f6e3ea9a9e87d2508861830120125484130da8c1fd479df2

armel architecture:

http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_armel.deb
        Size/SHA256 checksum:    717002 80fe021d87f2444abdd7c5491e7a4bf9ab9cb2b8e6fa72d308905f4e0aad60d4
http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-inst1.5_1.0.9.8.5_armel.deb
        Size/SHA256 checksum:    166784 046fb962fa214c5d6acfb7344e7719f8c4898d87bf29ed3cd2115e3f6cdd14e9
http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_armel.deb
        Size/SHA256 checksum:   1067404 f9a257d6aace1f222633e0432abf1d6946bad9dbd0ca18dccb288d50f17b895f
http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-dev_1.0.9.8.5_armel.deb
        Size/SHA256 checksum:    193768 4cb226f55132a68a2f5db925ada6147aaf052adb02301fb45fb0c2d1cfce36f0
http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-utils_1.0.9.8.5_armel.deb
        Size/SHA256 checksum:    353178 38042838d8bc79642e5389be7d2d2d967cbf316805d4c8c2d6afbe1bc164aacc
http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-transport-https_1.0.9.8.5_armel.deb
        Size/SHA256 checksum:    134932 755b6d22f5914f3153a1c15427e5221507b174c0a4c6b860ebd16234c9e9a146

armhf architecture:

http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_armhf.deb
        Size/SHA256 checksum:    734302 0f48f6d0406afdf0bd4d39e90e56460fab3d9b5fa4c91e2dca78ec22caf2fe2a
http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-inst1.5_1.0.9.8.5_armhf.deb
        Size/SHA256 checksum:    166556 284a1ffd529e1daab3c300be17a20f11450555be9c0af166d9796c18147a03ba
http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_armhf.deb
        Size/SHA256 checksum:   1078212 08d85c30c8e4a6df0dced8e232a6c7639caa231acef4af8fdee2c1e07f0178ba
http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-dev_1.0.9.8.5_armhf.deb
        Size/SHA256 checksum:    193796 3a26bd79677b46ce0a992e2ac808c4bbd2d5b3fc37b57fc93c8efa114de1adaa
http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-utils_1.0.9.8.5_armhf.deb
        Size/SHA256 checksum:    357074 19dec9ffc0fe4a86d6e61b5213e75c55ae6aaade6f3804f90e2e4034bbdc44d8
http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-transport-https_1.0.9.8.5_armhf.deb
        Size/SHA256 checksum:    135072 06ba556c5218e58fd14119e3b08a08f685209a0cbe09f2328bd572cabc580bca

i386 architecture:

http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_i386.deb
        Size/SHA256 checksum:    800840 201b6cf4625ed175e6a024ac1f7ca6c526ca79d859753c125b02cd69e26c349d
http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-inst1.5_1.0.9.8.5_i386.deb
        Size/SHA256 checksum:    170484 5791661dd4ade72b61086fefdc209bd1f76ac7b7c812d6d4ba951b1a6232f0b9
http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_i386.deb
        Size/SHA256 checksum:   1110418 13c230e9c544b1e67a8da413046bf1728526372170533b1a23e70cc99c40a228
http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-dev_1.0.9.8.5_i386.deb
        Size/SHA256 checksum:    193780 c5b1bfa913ea2e2e332c228f5c5fe4dbc11ab334d0551a68ba6e87e94a51ffee
http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-utils_1.0.9.8.5_i386.deb
        Size/SHA256 checksum:    371218 1a74b12c8bb6b3968a721f3aa96739073e4fe2ced9302792c533e21535bc9cf4
http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-transport-https_1.0.9.8.5_i386.deb
        Size/SHA256 checksum:    139036 32148d92914a97df8bbb9f223e788dcbc7c39e570cf48e6759cb483a65b68666

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXEe3lGaOgq3Tt24GAQiz1g//aPNijG+XYQp1JkaEXZCZlsdjqcodmVUp
nf6NdbfHngEVkkIsOW/7bJkUEVB4me+jgj/f7UA+RAcWZcoH7GYs50gYcwd0x1xo
1IS5pFGQrVzquTP/eorXP3NU2uF3Nu1g1bzrEd0flHD77ZwKefcjjLTKYSIkDO4+
oanL6nJZUDPcX464uuKio48eLmKBPL73ybqbv8lS6nedC+joiMVp5zH4mAUsF4EX
CIJ3V6V7k+iBUKDlq8/lJtb94pcxg2DhZ2l1u2cSq7XHlNS5vfN9Am0/9MmHUgbr
0/ZmB4oWvMEYkI1lgt7onbHkLe+82j2Q6MlTKxAq3ZMO6z6nYTo6fSR9/wbFUmKG
K41rvSIu4zECXv4nEm4fMw7x1CjRJc6ctBNE74xnldHfK1rKjwxmSOh3L81kFqJY
1DLJ3Ygcg/OYQJlSfSoK/vhOdB+FdO5jcEmsvHdQbWOzUuQDVstdgFhXVsPZB//P
2MZOgHsdq9WbY4sVZEljBa8359QJy//jyjl2sy7Jxd/kAv8XWQn1H+5g1xA3PX+H
/j+4DBvZKIQ4ima7SyvlVh4tz1GI4ivLQb48NlZV/PVuyFeXr22o5CqGLl7FG0N3
ljvPUROkVgA8Mgtz9i9TJLesa0FyNniAvewtDWxE0naxSutbkw88eJ4i5gedsxGW
zy0K8lc10Y0=
=ayQO
-----END PGP SIGNATURE-----

« Back to bulletins