9

Recently, a vulnerability has been found in apt that allows arbitrary code execution, see here.

Is it reasonable just to update the system? Or we should be worried that this has been used and so probably reinstall?

Note that debian suggest to update doing

sudo apt update -o Acquire::http::AllowRedirect=false
sudo apt upgrade -o Acquire::http::AllowRedirect=false

Is it dangerous to update normally, doing (as I have already done being unaware of the problem...)

sudo apt update
sudo apt upgrade

?

Ricky
  • 216
  • 1
  • 4

2 Answers2

2

Following the article that you have mentioned, it appears that the vulnerability lies in the http redirect where an attacker can insert the malicious redirects on vulnerable APT versions to download the malicious .deb packages and further install them to infect the system.

Further, the above suggestion to use AllowRedirect=false was just a precaution if you suspect a network man in the middle. Since you have already updated to the latest version though using the normal way, I don't think that would cause any problems. However, it's always recommended to check the response message on what contents APT is going to install to be sure.

Lastly, the guidelines from Ubuntu for upgrade outlined at https://wiki.ubuntu.com/Security/Upgrades haven't mentioned of any redirect flags to be used!

Cheers!

CyberDude
  • 141
  • 4
  • We write simple instructions because we don't want to cause our users to avoid installing updates out of fear. Many Ubuntu systems get updates via `unattended-upgrades` -- updates are installed before most users hear about issues. The remainder have site reliability engineering teams that manage update rollouts across their systems internally and already have processes in place to manage events like this. Thanks. – sarnold Jan 25 '19 at 04:28
2

This security vulnerability is now fixed (quickly) for debian Jessie , Stretch, Buster and Sid. You can check the status of the package on debian security tracker. The security update will be applied through the security repository. Use the Acquire::http::AllowRedirect=false option to upgrade your apt version then you can use apt as usually: apt update.

Debian mailing lists: apt security update and DSA-4371:

Specific upgrade instructions:

If upgrading using APT without redirect is not possible in your situation, you can manually download the files (using wget/curl) for your architecture using the URL provided below, verifying that the hashes match. Then you can install them using dpkg -i.

Community
  • 1
GAD3R
  • 2,211
  • 3
  • 15
  • 38
  • My point was that I upgraded without Acquire::http::AllowRedirect=false, but I guess this is probably OK. – Ricky Jan 23 '19 at 16:47