DSA-4371-1 apt -- security update

Nili · 2019-01-23 14:45:17

Hello! I just received an update for package "apt" on Devuan 1 (Jessie)

Start-Date: 2019-01-23  15:02:58
Commandline: apt-get upgrade
Upgrade: apt:i386 (1.0.9.8.4, 1.0.9.8.5), libudev1:i386 (215-17+deb8u8, 215-17+deb8u9), udev:i386 (215-17+deb8u8, 215-17+deb8u9), libapt-pkg4.12:i386 (1.0.9.8.4, 1.0.9.8.5), apt-utils:i386 (1.0.9.8.4, 1.0.9.8.5), libapt-inst1.5:i386 (1.0.9.8.4, 1.0.9.8.5), libjpeg62-turbo:i386 (1.3.1-12, 1.3.1-12+deb8u1)
End-Date: 2019-01-23  15:03:20

I usually look at DSA for specific packages to read more about the update.
For this APT update, Noticed that an intervention is required:

Since the vulnerability is present in the package manager itself, it is recommended to disable redirects in order to prevent exploitation during this upgrade only, using:

apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade

I mean, Does it apply to us Devuan users as well?

I ask this question because doing those commands is associated by a notice, (located inside the above DSA link).

So far, I have not done any action except updating APT.
Any advice/info would clarify a bit more about this security advisory.

Thank you for your attention.
BR,
Nili

Last edited by Nili (2019-01-23 14:46:35)

golinux · 2019-01-23 15:03:55

You can find KatolaZ' recommendations HERE

Nili · 2019-01-24 06:38:32

Hello golinux, thanks for pointing the link out. I read it carefully, but I'm a bit unclear.
Please let me start by explaining my information a bit.

I'm on Devuan 1 (jessie) 32bit

Current apt status:

#! nili ~ $ apt-cache policy apt
apt:
  Installed: 1.0.9.8.5
  Candidate: 1.0.9.8.5
  Version table:
 *** 1.0.9.8.5 0
        500 http://deb.devuan.org/merged/ jessie-security/main i386 Packages
        100 /var/lib/dpkg/status
     1.0.9.8.4 0
        500 http://deb.devuan.org/merged/ jessie/main i386 Packages

according to CVE-2019-3462 is noted for "jessie-security" have been patched/fixed

Source Package Release Version Status
apt (PTS) jessie (security) 1.0.9.8.5 fixed

My sources.list:

deb http://deb.devuan.org/merged jessie main contrib non-free

deb http://deb.devuan.org/merged jessie-updates main contrib non-free

deb http://deb.devuan.org/merged jessie-security main contrib non-free

deb http://deb.devuan.org/merged jessie-backports main contrib non-free

it is said from KatolaZ

The safest way would actually be to manually download the deb packages of apt from the debian-security pool (more information available below), or to use pkgmaster.devuan.org in your sources.list to do the upgrade (pkgmaster.devuan.org is not a rough mirror...).

^This part is that I'm confused.

I've done APT successfully upgraded to version 1.0.9.8.5 2 via "deb http://deb.devuan.org/merged jessie-security"
Is it necessary for me to switch hosts to "pkgmaster.devuan.org" or make other manual interventions?

Forgive me for my lack of understanding on this part.

BR,
Nili

golinux · 2019-01-24 07:04:10

Nili wrote:

it is said from KatolaZ
The safest way would actually be to manually download the deb packages of apt from the debian-security pool (more information available below), or to use pkgmaster.devuan.org in your sources.list to do the upgrade (pkgmaster.devuan.org is not a rough mirror...).
^This part is that I'm confused.
I've done APT successfully upgraded to version 1.0.9.8.5 2 via "deb http://deb.devuan.org/merged jessie-security"
Is it necessary for me to switch hosts to "pkgmaster.devuan.org" or make other manual interventions?
Forgive me for my lack of understanding on this part.
BR,
Nili

Yes, it was confusing and I chewed on it for quite some time myself. I think he recommended pkgmaster because it is the source for all the other pkg mirrors would eliminate exposure to the many mirrors in the round robin.

Nili · 2019-01-24 07:34:54

golinux wrote:

Yes, it was confusing and I chewed on it for quite some time myself. I think he recommended pkgmaster because it is the source for all the other pkg mirrors would eliminate exposure to the many mirrors in the round robin.

OK, i switched my sources.list from deb.devuan.org to pkgmaster.devuan.org i did an apt-get update, I've taken all the possible updates. So, i'll keep eyes open in the APT matter on following.

golinux, thank you for your clarification / suggestions.

BR,
Nili

Last edited by Nili (2019-01-24 07:35:42)

golinux · 2019-01-24 15:48:33

Nili wrote:

golinux, thank you for your clarification / suggestions.

If indeed that "clarification" is a correct conclusion. LOLOL!! In any case we both updated and seem to have survived so onward . . .

boycottsystemd · 2019-01-25 07:06:13

Hello,

Please is it secure to use this /etc/apt/sources.list ?

deb http://pkgmaster.devuan.org/merged/ ascii main contrib non-free 
deb http://pkgmaster.devuan.org/merged/ ascii-updates main contrib non-free 
deb http://pkgmaster.devuan.org/merged/ ascii-security main contrib non-free 
deb http://pkgmaster.devuan.org/merged/ ascii-backports main contrib non-free 

deb http://packages.devuan.org/merged/ ascii main 
deb-src http://packages.devuan.org/merged/ ascii main

Nili · 2019-01-25 10:22:01

golinux wrote:

If indeed that "clarification" is a correct conclusion. LOLOL!! In any case we both updated and seem to have survived so onward . . .

Addressing to lists.dyne was a kind of clarity for me.
Because I was looking for a Devuan reliable source. I think so too, upgrading APT somehow relaxed my mind

BR,
Nili

RoundDuckMan · 2019-02-19 08:20:31

I know this topic is now about a month old, but after looking back for Debian-related news, I found out about this, and while it might not be too bad for my laptop to have this problem when it got updated, not knowing of this bug, on the 25th of January, this hole is very dangerous now for the Devuan install .isos. Is there any way that in a Devuan release we'll actually have point releases like Debian, like maybe a Devuan 2.1.0 .iso?

Oh, and BTW, it wasn't like I randomly came here after hearing of that. I just felt like testing Devuan in a VM again, and then I wondered about that APT vulnerability when installing Devuan.

kuleszdl · 2019-03-06 00:27:24

I had exactly the same question/concern as RoundDuckMan. Fresh isos that use the fixed apt version would be really great.

golinux · 2019-03-06 00:32:06

More devs on deck to build them would be great too.

The officially official Devuan Forum!

#1 2019-01-23 14:45:17

DSA-4371-1 apt -- security update

#2 2019-01-23 15:03:55

Re: DSA-4371-1 apt -- security update

#3 2019-01-24 06:38:32

Re: DSA-4371-1 apt -- security update

#4 2019-01-24 07:04:10

Re: DSA-4371-1 apt -- security update

#5 2019-01-24 07:34:54

Re: DSA-4371-1 apt -- security update

#6 2019-01-24 15:48:33

Re: DSA-4371-1 apt -- security update

#7 2019-01-25 07:06:13

Re: DSA-4371-1 apt -- security update

#8 2019-01-25 10:22:01

Re: DSA-4371-1 apt -- security update

#9 2019-02-19 08:20:31

Re: DSA-4371-1 apt -- security update

#10 2019-03-06 00:27:24

Re: DSA-4371-1 apt -- security update

#11 2019-03-06 00:32:06

Re: DSA-4371-1 apt -- security update

Board footer