The tool does not sanitize fields in HTTP redirections and so could be used for man-in-the-middle attacks that inject malicious content in the HTTP connection between APT and a mirror. You can find more information in the official announcement.
You can now disable redirects to prevent exploitation or upgrade the system’s package to a version that fixes the security issue:
- Upgrade the package
sudo apt-get -o Acquire::http::AllowRedirect=false install apt -y
The fixed versions are:
To check the current version of your APT package, please run this command:
apt --version
In case you can not upgrade the APT package right now, use the following option when running any apt command:
-o Acquire::http::AllowRedirect=false
If you have additional questions about this security issue, post them in our community forum, and we will be happy to help you.
- Debian 8.x: Version 1.0.9.8.5 and later versions
- Debian 9.x: Version 1.4.9 and later versions
- Ubuntu 14.04: Version 1.0.1ubuntu2.19 and later versions
- Ubuntu 16.04: Version 1.2.29ubuntu0.1 and later versions
To check the current version of your APT package, please run this command:
apt --version
- Disable redirect
In case you can not upgrade the APT package right now, use the following option when running any apt command:
-o Acquire::http::AllowRedirect=false
If you have additional questions about this security issue, post them in our community forum, and we will be happy to help you.