Debian Security Advisory - DSA-3025-1 apt - security update

by
Anonymous Coward
in linux on (#2SK4)
Debian has announced a security advisory about its apt-get software, and recommends that you upgrade your apt packages ... with apt, of course.
"It was discovered that APT, the high level package manager, does not properly invalidate unauthenticated data (CVE-2014-0488), performs incorrect verification of 304 replies (CVE-2014-0487), does not perform the checksum check when the Acquire::GzipIndexes option is used (CVE-2014-0489) and does not properly perform validation for binary packages downloaded by the apt-get download command (CVE-2014-0490)."
This update comes to you courtesy of the IOERROR Twitter account.

Some glaring security holes? (Score: 1)

by zafiro17@pipedot.org on 2014-09-19 14:01 (#2SKX)

I don't code, so am unqualified to comment. But I'll do so anyway :) Seems like these are some pretty glaring security holes; I'm surprised they weren't caught before. Maybe apt works so well that developers don't feel a need to look further into it. Given the number of asshat crackers out there looking for ways to break into VPS boxes and - do what? I don't even know - cracking apt would seem like a clever point of entry.

My VPS registers hundreds and hundreds of brute-force hits every day. Even sshguard fails to stop them as they now bounce your server from multiple IPs simultaneously. Let's say they finally get my server - what would they do with it? Pump out Chinese stock tips and erectile dysfunction spam? Compile themselves a new kernel? What?

Meanwhile, I'm glad people look into this code and fix vulnerabilities like this. Given the number of Ubuntu and Debian servers out there serving webpages, it would seem like a weakness with the potential to do some serious harm.
Post Comment
Subject
Comment
Captcha
What is the 2nd number in the list thirty four, 8 and 23?