Stories
Slash Boxes
Comments

SoylentNews is people

posted by LaminatorX on Friday September 19 2014, @08:48AM   Printer-friendly
from the apt-to-fail dept.

"We recommend that you upgrade your apt packages." with apt of course... (via https://twitter.com/ioerror)

https://www.debian.org/security/2014/dsa-3025

"It was discovered that APT, the high level package manager, does not properly invalidate unauthenticated data (CVE-2014-0488), performs incorrect verification of 304 replies (CVE-2014-0487), does not perform the checksum check when the Acquire::GzipIndexes option is used (CVE-2014-0489) and does not properly perform validation for binary packages downloaded by the apt-get download command (CVE-2014-0490)."

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Informative) by _NSAKEY on Friday September 19 2014, @08:58AM

    by _NSAKEY (16) on Friday September 19 2014, @08:58AM (#95399)

    wget the .debs for both apt [debian.org] and apt-utils [debian.org]. Install with dpkg -i. Done.

    • (Score: 3, Interesting) by mtrycz on Friday September 19 2014, @09:13AM

      by mtrycz (60) on Friday September 19 2014, @09:13AM (#95403)

      I might not be getting it: is there a clear reason not to update it with apt?

      --
      In capitalist America, ads view YOU!
      • (Score: 3, Informative) by _NSAKEY on Friday September 19 2014, @09:22AM

        by _NSAKEY (16) on Friday September 19 2014, @09:22AM (#95406)

        Aside from avoiding the irony of updating apt by using apt? Not unless you're really paranoid.

        • (Score: 3, Insightful) by mth on Friday September 19 2014, @09:41AM

          by mth (2848) on Friday September 19 2014, @09:41AM (#95409) Homepage

          Bypassing apt altogether skips all security checks, so that would be a lot less safe than apt skipping some of the checks in particular situations.

          • (Score: 3, Informative) by q.kontinuum on Friday September 19 2014, @12:43PM

            by q.kontinuum (532) on Friday September 19 2014, @12:43PM (#95455) Journal

            I'd expepct you can download a signed .deb and check the signature manually, which might make it safer.

            --
            Registered IRC nick on chat.soylentnews.org: qkontinuum
            • (Score: 2) by _NSAKEY on Friday September 19 2014, @04:59PM

              by _NSAKEY (16) on Friday September 19 2014, @04:59PM (#95559)

              The steps for doing that can be found here [debian.org]

        • (Score: -1, Offtopic) by Anonymous Coward on Friday September 19 2014, @11:29AM

          by Anonymous Coward on Friday September 19 2014, @11:29AM (#95433)

          Not unless you're really paranoid.

          What solutions exists for beyond really paranoids? Like, for those imaginarilly paranoids? Or quaternionly paranoids?

  • (Score: 2) by cosurgi on Friday September 19 2014, @03:25PM

    by cosurgi (272) on Friday September 19 2014, @03:25PM (#95521) Journal

    If you are in any doubt that your system might have been hijacked with malicious binaries, after updating apt do this:


    debsums > result
    cat result | grep -v OK

    --
    #
    #\ @ ? [adom.de] Colonize Mars [kozicki.pl]
    #
    • (Score: 1, Insightful) by Anonymous Coward on Friday September 19 2014, @05:01PM

      by Anonymous Coward on Friday September 19 2014, @05:01PM (#95561)
      But what if debsums has been hijacked too?

      So if you really want to know whether your system has been hijacked with malicious binaries, what you have to do is mount your drive on a known safe computer then do the checks using clean stuff.
      • (Score: 2) by cosurgi on Monday September 22 2014, @09:44AM

        by cosurgi (272) on Monday September 22 2014, @09:44AM (#96672) Journal

        right, you would need to reinstall debsums first from clean source. Or, as you say go to another safe computer.

        --
        #
        #\ @ ? [adom.de] Colonize Mars [kozicki.pl]
        #
    • (Score: 1) by Freebirth Toad on Sunday September 21 2014, @05:02PM

      by Freebirth Toad (4486) on Sunday September 21 2014, @05:02PM (#96366)
      Isn't debsums based on MD5? I thought MD5 was no longer safe as a cryptographic hash function [wikipedia.org].