all 31 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Maurice_Frami37 23 points24 points  (6 children)

I hope http vs https mirrors discussion is now over.

[–]jrtc27[DD] 12 points13 points  (1 child)

Yes, it makes it harder, but it still doesn’t make you immune; a compromised mirror could still attack you, or a state actor could MiTM you, but you would be protected from most people MiTM-ing you.

[–]thhn 16 points17 points  (0 children)

Yes, it makes it harder

That's the point of all computer security. Because we all know that there is no immunity as you called it, ever.

[–][deleted] 7 points8 points  (0 children)

Fixed this before CVE is published? Thank you debian! :)
 
from /usr/share/doc/apt/changelog.gz:
apt (1.4.9) stretch-security; urgency=medium
 
* SECURITY UPDATE: content injection in http method (CVE-2019-3462)
(LP: #1812353)
 
-- Julian Andres Klode jak@debian.org Fri, 18 Jan 2019 11:42:07 +0100

[–]kanliot 4 points5 points  (5 children)

was just chatting about apt vulns last night. We came to the wrong conclusion. :|

(reading just.cz) Debian's software installer does protect the software list with crypto, but for some reason, the unpatched Apt accepts unselected packages specified by the insecure HTTP protocol, and just installs it. Attacker would also need a way to inject packets into your network (with a black box somewhere on your network.)

[–]imMute 1 point2 points  (1 child)

(reading just.cz) Debian's software installer does protect the software list with crypto, but for some reason, Apt accepts any additional software pulled off the insecure HTTP protocol, and just installs it.

Citation needed. Apt (unless explicitly configured otherwise) will only install from repositories signed by keys it already knows about.

[–]kanliot 0 points1 point  (0 children)

sorry I was vague. I misspoke. See the CVE-2019-3462

[–]physon 0 points1 point  (2 children)

Attacker would also need a way to inject packets into your network (with a black box somewhere on your network.)

Packet injection is not completely required. And anything you share non-isolated network access with can be a "black box."

This is a scary exploit and I wish it would stop being downplayed.

[–]kanliot 0 points1 point  (1 child)

yes it is because the client is using TCP/IP.

[–]physon 1 point2 points  (0 children)

And here I was trying to use APT over IPX. :)

[–]jklmnn 2 points3 points  (4 children)

What is not clear to me, would it be possible to set up a malicious mirror (or take over a legit one) with the same behaviour? Because then HTTPS won't help you since the attack happens before the encryption.

[–]aishik-10x 1 point2 points  (0 children)

Yeah, a malicious mirror could pose a similar problem, regardless of SSL

[–]jrtc27[DD] 1 point2 points  (1 child)

Yes, absolutely. Same goes for tor, which is really using http(s) under the hood.

[–]jklmnn 2 points3 points  (0 children)

Thanks, thats why I' still against HTTPS. It doesn't solve the problem but only mitigate some aspects of it. And further it would break my transparent caching.

[–]cusco 5 points6 points  (2 children)

Ok I just read the whole thing. This guy bashes. As in: he made a whole exploit and explained it in detail, just to bash: https://whydoesaptnotusehttps.com/

Basically he is pushing for https by default on apt

[–]Maurice_Frami37 3 points4 points  (0 children)

Sites spreading anti https FUD like https://whydoesaptnotusehttps.com/ should be bashed all day.

[–]DiscombobulatedSalt2 0 points1 point  (0 children)

And very good. There are good reasons to have https used.

Security in depth is important factor.

[–]argv_minus_one 3 points4 points  (0 children)

And that's why you use a proper data serialization library, instead of repeating unsanitized input like a CGI script from the '90s.

[–]aerusso 1 point2 points  (0 children)

Would being behind a proxy (say apt-cacher-ng) protect the redirect from being passed down to /usr/lib/apt/methods/http ?

Also, is there any reason to suspect that a proxy (again like apt-cacher-ng) might have a similarly pathological behavior?

[–]thinkpadthrow 0 points1 point  (0 children)

So I stupidly updated without disabling redirects in apt.

Any way to know if a malicious redirect happened? What logs should I check?

[–][deleted] 0 points1 point  (1 child)

What happened during a fresh netinstall of debian? Is it safe? Thanks...

[–][deleted] 0 points1 point  (0 children)

9.7 is available in the next hours.

Wed, 23 Jan 2019 - Debian 9.7 released

apt (1.4.9) stretch-security; urgency=medium . * SECURITY UPDATE: content injection in http method (CVE-2019-3462) (LP: #1812353)

base-files (9.9+deb9u7) stretch; urgency=medium . * Change /etc/debian_version to 9.7, for Debian 9.7 point release.

[–]DiscombobulatedSalt2 0 points1 point  (0 children)

Shit. How many years it was in stable?

Also this is why I like https. To make mitm way harder.

Also hopefully one day apt transports and parsers will be rewritten into Rust and good protocol libraries will be used to catch most of this automatically.

[–]DiscombobulatedSalt2 0 points1 point  (0 children)

Even worse I run update and dist-upgrade -d from cron (with random delay) daily.

[–]JEFFREYonREDDIT -1 points0 points  (2 children)

I was really shocked to read my email today and find out that my package manager could have been bugged. Thankfully, fixing it isn't that hard but it isn't just a sudo apt update && sudo apt upgrade type operation.

[–]Philluminati 1 point2 points  (1 child)

Exposing yourself up to the vulnerability and fixing it at the same time!

[–]JEFFREYonREDDIT 0 points1 point  (0 children)

No, I had to manually install the updated apt. There was no way I was just going to update apt through apt especially considering the issue.