Hello Patrick! You may download the new package http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.4_amd64.deb (for amd64) and check its checksum https://packages.debian.org/jessie/amd64/apt/download
$ sha256sum apt_1.0.9.8.4_amd64.deb f40e51afbbcf2b1e23442c4c3df064a02ddc27bdfbfb155839577dcb1dedb74a All the best to you! Idézem/Quoting Patrick Schleizer <adrela...@riseup.net>:
TLDR: Is it possible to disable InRelease processing by apt-get? Long: Very short summary of the bug: (my own words) During apt-get upgrading signature verification can be tricked resulting in arbitrary package installation, system compromise. sources: - https://security-tracker.debian.org/tracker/CVE-2016-1252 - https://www.debian.org/security/2016/dsa-3733 - https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467 How to upgrade from the insecure apt-get version 1.0.9.8.3 to the patched apt-get version 1.0.9.8.4 without being compromised during that upgrade? Is it possible to disable InRelease processing by apt-get [for that upgrade or generally]? And have it check Release.gpg (which is provided anyway) instead?
SZÉPE Viktor https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, III. kerület
