You are not logged in.
Pages: 1
Hello! I just received an update for package "apt" on Devuan 1 (Jessie)
Start-Date: 2019-01-23 15:02:58
Commandline: apt-get upgrade
Upgrade: apt:i386 (1.0.9.8.4, 1.0.9.8.5), libudev1:i386 (215-17+deb8u8, 215-17+deb8u9), udev:i386 (215-17+deb8u8, 215-17+deb8u9), libapt-pkg4.12:i386 (1.0.9.8.4, 1.0.9.8.5), apt-utils:i386 (1.0.9.8.4, 1.0.9.8.5), libapt-inst1.5:i386 (1.0.9.8.4, 1.0.9.8.5), libjpeg62-turbo:i386 (1.3.1-12, 1.3.1-12+deb8u1)
End-Date: 2019-01-23 15:03:20
I usually look at DSA for specific packages to read more about the update.
For this APT update, Noticed that an intervention is required:
Since the vulnerability is present in the package manager itself, it is recommended to disable redirects in order to prevent exploitation during this upgrade only, using:
apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade
I mean, Does it apply to us Devuan users as well?
I ask this question because doing those commands is associated by a notice, (located inside the above DSA link).
So far, I have not done any action except updating APT.
Any advice/info would clarify a bit more about this security advisory.
Thank you for your attention.
BR,
Nili
Last edited by Nili (2019-01-23 14:46:35)
Tumbleweed - KDE Plasma (Wayland) - Breeze (LeafDark) [Qt]
♪Mahara★Japaaan!
Offline
Hello golinux, thanks for pointing the link out. I read it carefully, but I'm a bit unclear.
Please let me start by explaining my information a bit.
I'm on Devuan 1 (jessie) 32bit
Current apt status:
#! nili ~ $ apt-cache policy apt
apt:
Installed: 1.0.9.8.5
Candidate: 1.0.9.8.5
Version table:
*** 1.0.9.8.5 0
500 http://deb.devuan.org/merged/ jessie-security/main i386 Packages
100 /var/lib/dpkg/status
1.0.9.8.4 0
500 http://deb.devuan.org/merged/ jessie/main i386 Packages
according to CVE-2019-3462 is noted for "jessie-security" have been patched/fixed
Source Package Release Version Status
apt (PTS) jessie (security) 1.0.9.8.5 fixed
My sources.list:
deb http://deb.devuan.org/merged jessie main contrib non-free
deb http://deb.devuan.org/merged jessie-updates main contrib non-free
deb http://deb.devuan.org/merged jessie-security main contrib non-free
deb http://deb.devuan.org/merged jessie-backports main contrib non-free
it is said from KatolaZ
The safest way would actually be to manually download the deb packages of apt from the debian-security pool (more information available below), or to use pkgmaster.devuan.org in your sources.list to do the upgrade (pkgmaster.devuan.org is not a rough mirror...).
^This part is that I'm confused.
I've done APT successfully upgraded to version 1.0.9.8.5 2 via "deb http://deb.devuan.org/merged jessie-security"
Is it necessary for me to switch hosts to "pkgmaster.devuan.org" or make other manual interventions?
Forgive me for my lack of understanding on this part.
BR,
Nili
Tumbleweed - KDE Plasma (Wayland) - Breeze (LeafDark) [Qt]
♪Mahara★Japaaan!
Offline
it is said from KatolaZ
The safest way would actually be to manually download the deb packages of apt from the debian-security pool (more information available below), or to use pkgmaster.devuan.org in your sources.list to do the upgrade (pkgmaster.devuan.org is not a rough mirror...).
^This part is that I'm confused.
I've done APT successfully upgraded to version 1.0.9.8.5 2 via "deb http://deb.devuan.org/merged jessie-security"
Is it necessary for me to switch hosts to "pkgmaster.devuan.org" or make other manual interventions?Forgive me for my lack of understanding on this part.
BR,
Nili
Yes, it was confusing and I chewed on it for quite some time myself. I think he recommended pkgmaster because it is the source for all the other pkg mirrors would eliminate exposure to the many mirrors in the round robin.
Online
Yes, it was confusing and I chewed on it for quite some time myself. I think he recommended pkgmaster because it is the source for all the other pkg mirrors would eliminate exposure to the many mirrors in the round robin.
OK, i switched my sources.list from deb.devuan.org to pkgmaster.devuan.org i did an apt-get update, I've taken all the possible updates. So, i'll keep eyes open in the APT matter on following.
golinux, thank you for your clarification / suggestions.
BR,
Nili
Last edited by Nili (2019-01-24 07:35:42)
Tumbleweed - KDE Plasma (Wayland) - Breeze (LeafDark) [Qt]
♪Mahara★Japaaan!
Offline
golinux, thank you for your clarification / suggestions.
If indeed that "clarification" is a correct conclusion. LOLOL!! In any case we both updated and seem to have survived so onward . . .
Online
Hello,
Please is it secure to use this /etc/apt/sources.list ?
deb http://pkgmaster.devuan.org/merged/ ascii main contrib non-free
deb http://pkgmaster.devuan.org/merged/ ascii-updates main contrib non-free
deb http://pkgmaster.devuan.org/merged/ ascii-security main contrib non-free
deb http://pkgmaster.devuan.org/merged/ ascii-backports main contrib non-free
deb http://packages.devuan.org/merged/ ascii main
deb-src http://packages.devuan.org/merged/ ascii main
Offline
If indeed that "clarification" is a correct conclusion. LOLOL!! In any case we both updated and seem to have survived so onward . . .
Addressing to lists.dyne was a kind of clarity for me.
Because I was looking for a Devuan reliable source. I think so too, upgrading APT somehow relaxed my mind
BR,
Nili
Tumbleweed - KDE Plasma (Wayland) - Breeze (LeafDark) [Qt]
♪Mahara★Japaaan!
Offline
I know this topic is now about a month old, but after looking back for Debian-related news, I found out about this, and while it might not be too bad for my laptop to have this problem when it got updated, not knowing of this bug, on the 25th of January, this hole is very dangerous now for the Devuan install .isos. Is there any way that in a Devuan release we'll actually have point releases like Debian, like maybe a Devuan 2.1.0 .iso?
Oh, and BTW, it wasn't like I randomly came here after hearing of that. I just felt like testing Devuan in a VM again, and then I wondered about that APT vulnerability when installing Devuan.
Offline
I had exactly the same question/concern as RoundDuckMan. Fresh isos that use the fixed apt version would be really great.
Offline
More devs on deck to build them would be great too.
Online
Pages: 1