HTTP redirect vulnerability in apt package manager

lists.debian.org

10 points by dansimau 7 years ago · 5 comments

Reader

Ironic, given the previous discussion on why apt shouldn't use HTTPS connections. With full end-to-end SSL validation, this kind of vulnerability can't exist. Should be interesting to see how the community reacta to this.

est31 7 years ago

Weren't PGP signatures supposed to ensure integrity? How is this being bypassed?

detaro 7 years ago

The attack can inject fake hashes into the process, so it can pretend the file has the correct checksum: https://justi.cz/security/2019/01/22/apt-rce.html
- jwilk 7 years ago
  
  Discussed on HN:
  https://news.ycombinator.com/item?id=18968370

jwilk 7 years ago

Please use the original title.

Settings

HTTP redirect vulnerability in apt package manager

Keyboard Shortcuts