Oh, and BTW, it wasn't like I randomly came here after hearing of that. I just felt like testing Devuan in a VM again, and then I wondered about that APT vulnerability when installing Devuan.

If indeed that "clarification" is a correct conclusion.   LOLOL!!  In any case we both updated and seem to have survived so onward . . .

Addressing to lists.dyne was a kind of clarity for me.
Because I was looking for a Devuan reliable source. I think so too, upgrading APT somehow relaxed my mind

BR,
Nili

Please is it secure to use this /etc/apt/sources.list ?

deb http://pkgmaster.devuan.org/merged/ ascii main contrib non-free 
deb http://pkgmaster.devuan.org/merged/ ascii-updates main contrib non-free 
deb http://pkgmaster.devuan.org/merged/ ascii-security main contrib non-free 
deb http://pkgmaster.devuan.org/merged/ ascii-backports main contrib non-free 

deb http://packages.devuan.org/merged/ ascii main 
deb-src http://packages.devuan.org/merged/ ascii main 

golinux, thank you for your clarification / suggestions.

If indeed that "clarification" is a correct conclusion.   LOLOL!!  In any case we both updated and seem to have survived so onward . . .

Yes, it was confusing and I chewed on it for quite some time myself.  I think he recommended pkgmaster because it is the source for all the other pkg mirrors would eliminate exposure to the many mirrors in the round robin.

OK, i switched my sources.list from deb.devuan.org to pkgmaster.devuan.org i did an apt-get update, I've taken all the possible updates. So, i'll keep eyes open in the APT matter on following.

golinux, thank you for your clarification / suggestions.

BR,
Nili

it is said from KatolaZ

The safest way would actually be to manually download the deb packages of apt from the debian-security pool (more information available below), or to use pkgmaster.devuan.org in your sources.list to do the upgrade (pkgmaster.devuan.org is not a rough mirror...).

^This part is that I'm confused.

I've done APT successfully upgraded to version 1.0.9.8.5 2 via "deb http://deb.devuan.org/merged jessie-security"
Is it necessary for me to switch hosts to "pkgmaster.devuan.org" or make other manual interventions?

Forgive me for my lack of understanding on this part.

BR,
Nili

Yes, it was confusing and I chewed on it for quite some time myself.  I think he recommended pkgmaster because it is the source for all the other pkg mirrors would eliminate exposure to the many mirrors in the round robin.

I'm on Devuan 1 (jessie) 32bit

Current apt status:

#! nili ~ $ apt-cache policy apt
apt:
  Installed: 1.0.9.8.5
  Candidate: 1.0.9.8.5
  Version table:
 *** 1.0.9.8.5 0
        500 http://deb.devuan.org/merged/ jessie-security/main i386 Packages
        100 /var/lib/dpkg/status
     1.0.9.8.4 0
        500 http://deb.devuan.org/merged/ jessie/main i386 Packages

according to CVE-2019-3462 is noted for "jessie-security" have been patched/fixed

Source Package    Release              Version      Status
apt (PTS)         jessie (security)    1.0.9.8.5    fixed

My sources.list:

deb http://deb.devuan.org/merged jessie main contrib non-free

deb http://deb.devuan.org/merged jessie-updates main contrib non-free

deb http://deb.devuan.org/merged jessie-security main contrib non-free

deb http://deb.devuan.org/merged jessie-backports main contrib non-free

it is said from KatolaZ

^This part is that I'm confused.

I've done APT successfully upgraded to version 1.0.9.8.5 2 via "deb http://deb.devuan.org/merged jessie-security"
Is it necessary for me to switch hosts to "pkgmaster.devuan.org" or make other manual interventions?

Forgive me for my lack of understanding on this part.

BR,
Nili

Start-Date: 2019-01-23  15:02:58
Commandline: apt-get upgrade
Upgrade: apt:i386 (1.0.9.8.4, 1.0.9.8.5), libudev1:i386 (215-17+deb8u8, 215-17+deb8u9), udev:i386 (215-17+deb8u8, 215-17+deb8u9), libapt-pkg4.12:i386 (1.0.9.8.4, 1.0.9.8.5), apt-utils:i386 (1.0.9.8.4, 1.0.9.8.5), libapt-inst1.5:i386 (1.0.9.8.4, 1.0.9.8.5), libjpeg62-turbo:i386 (1.3.1-12, 1.3.1-12+deb8u1)
End-Date: 2019-01-23  15:03:20

I usually look at DSA for specific packages to read more about the update.
For this APT update, Noticed that an intervention is required:

apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade

I mean, Does it apply to us Devuan users as well?

I ask this question because doing those commands is associated by a notice, (located inside the above DSA link).

So far, I have not done any action except updating APT.
Any advice/info would clarify a bit more about this security advisory.

Thank you for your attention.
BR,
Nili