BigGrizzly

Groumpf

  • Remote Code Execution in apt/apt-get
    https://justi.cz/security/2019/01/22/apt-rce.html

    tl;dr I found a vulnerability in apt that allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code as root on a machine installing any package. The bug has been fixed in the latest versions of apt. If you’re worried about being exploited during the update process, you can protect yourself by disabling HTTP redirects while you update. To do that, run:

    $ sudo apt update -o Acquire::http::AllowRedirect=false
    $ sudo apt upgrade -o Acquire::http::AllowRedirect=false

    If your current package mirrors redirect by default (meaning you can’t update apt when using that flag) you’ll need to pick different mirrors or download the package directly. Specific instructions for upgrading on Debian can be found here. Ubuntu’s announcement can be found here.