LinuxQuestions.org - apt bug fixed

- Bodhi (https://www.linuxquestions.org/questions/bodhi-92/)

- - apt bug fixed (https://www.linuxquestions.org/questions/bodhi-92/apt-bug-fixed-4175646822/)

https://www.zdnet.com/article/nasty-...tag=RSSbaffb68

maybe useful for stefan and ylee, et al

OK, I will look later, thx

interesting read. thanks for the share.

i am by no means any kind of security expert, but thought this was an important paragraph:

He also pointed out that, "By default, Debian and Ubuntu both use plain http repositories out of the box." While there's heated debate over whether the more secure https actually improved apt security, Justicz knows his position: "I wouldn't have been able to exploit the Dockerfile at the top of this post if the default package servers had been using https."

especially in a day and age when https has come to be fairly universal.

Not been ignoring this just busy. Always lots of security vulnerabilities ...

Anyways for the record this has been patched in our Ubuntu base:

Code:

apt (1.6.6ubuntu0.1) bionic-security; urgency=medium



  * SECURITY UPDATE: content injection in http method (CVE-2019-3462)

    (LP: #1812353)



 -- Julian Andres Klode <juliank@ubuntu.com>  Fri, 18 Jan 2019 11:39:50 +0100

It is up to you if you wish to disable redirects as the Debian security team recommends. peace