Wednesday, January 23, 2019

APT security update - CVE-2019-3462

A new security vulnerability was discovered in the Advanced Package Tool, or APT, the high-level package manager for Debian, Ubuntu, and related Linux distributions.

The tool does not sanitize fields in HTTP redirections and so could be used for man-in-the-middle attacks that inject malicious content in the HTTP connection between APT and a mirror. You can find more information in the official announcement.

You can now disable redirects to prevent exploitation or upgrade the system’s package to a version that fixes the vulnerability:

  • Upgrade the package

Run the following commands to install the latest version of the package:

    sudo apt-get -o Acquire::http::AllowRedirect=false update
    sudo apt-get -o Acquire::http::AllowRedirect=false install apt -y

The fixed versions are:
  • Debian 8.x: Version 1.0.9.8.5 and later versions
  • Debian 9.x: Version 1.4.9 and later versions
  • Ubuntu 14.04: Version 1.0.1ubuntu2.19 and later versions
  • Ubuntu 16.04: Version 1.2.29ubuntu0.1 and later versions

To check the current version of your APT package, please run this command:

    apt --version

  • Disable redirect

In case you can not upgrade the APT package right now, use the following option when running any apt command:

    -o Acquire::http::AllowRedirect=false

If you have additional questions about this security issue, post them in our community forum, and we will be happy to help you.