Story

I don't code, so am unqualified to comment. But I'll do so anyway :) Seems like these are some pretty glaring security holes; I'm surprised they weren't caught before. Maybe apt works so well that developers don't feel a need to look further into it. Given the number of asshat crackers out there looking for ways to break into VPS boxes and - do what? I don't even know - cracking apt would seem like a clever point of entry.

My VPS registers hundreds and hundreds of brute-force hits every day. Even sshguard fails to stop them as they now bounce your server from multiple IPs simultaneously. Let's say they finally get my server - what would they do with it? Pump out Chinese stock tips and erectile dysfunction spam? Compile themselves a new kernel? What?

Meanwhile, I'm glad people look into this code and fix vulnerabilities like this. Given the number of Ubuntu and Debian servers out there serving webpages, it would seem like a weakness with the potential to do some serious harm.