FALLA CRÍTICA APT/APT-GET

[BLOG HOME]

 

 

Today a vulnerability that allows remote installation and control packet this failure occurs in the verification package repositories using only HTTPS to communicate securely without using the verification of signatures based only on packages was discovered.

This vulnerability, discovered by Max Justicz, known as (CVE-219-3462) resides in the APT package manager, widely used that handles installing, upgrading and removing software on Debian, Ubuntu and other Linux distributions including our beloved Deepin.

According Justicz who wrote in his blog APT vulnerable versions do not meet the parameters credentials as http redirection occurs, allowing attack man in the middle to inject malicious code and allow installing additional packages.

Although Justicz has not tried, he believes that the vulnerability affects all package downloads, even if you are installing a package for the first time or upgrading an earlier.

The recommendation for repository administrators on Linux is that to protect the integrity of the packages, it is important to use verification based on signatures, because developers have no control over the mirror servers, but at the same time implement HTTPS could avoid active exploitation after the discovery of these vulnerabilities.

The recommendation is for all users to update their computers as administrators of Debian worked quickly to correct it.

1
What do you think about it?

please Enter to comment
1 Comment threads
0 Responses thread
0 Followers
 
Comment with more reactions
Highly Commended thread
1 Authors comments
Car Authors of the most recent comments
subscribe
Newer oldest More popular
Report of
Car
Publisher

Good data, thanks AvatarG4SP3R