Geert Stappers: > On Thu, Dec 15, 2016 at 09:43:59PM +0100, SZÉPE Viktor wrote: >> Quoting Patrick Schleizer <adrela...@riseup.net>: >> >>> Very short summary of the bug: >>> (my own words) During apt-get upgrading signature verification can be >>> tricked resulting in arbitrary package installation, system compromise. >>> >>> - https://security-tracker.debian.org/tracker/CVE-2016-1252 >>> - https://www.debian.org/security/2016/dsa-3733 >>> - https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467 >>> >>> How to upgrade from the insecure apt-get version 1.0.9.8.3 to the >>> patched apt-get version 1.0.9.8.4 without being compromised during that >>> upgrade? >>> >> >> You may download the new package >> http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.4_amd64.deb >> (for amd64) > > By the command > > wget > http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.4_amd64.deb > > >> and check its checksum >> https://packages.debian.org/jessie/amd64/apt/download >> >> $ sha256sum apt_1.0.9.8.4_amd64.deb >> >> f40e51afbbcf2b1e23442c4c3df064a02ddc27bdfbfb155839577dcb1dedb74a >> > > Then the acual install > > sudo dpkg --install apt_1.0.9.8.4_amd64.deb > > Which might yield (due my test on a non-up-to-date-system) > > (Reading database ... 42686 files and directories currently installed.) > Preparing to replace apt 1.0.9.8.4 (using apt_1.0.9.8.4_amd64.deb) ... > Unpacking replacement apt ... > dpkg: dependency problems prevent configuration of apt: > apt depends on libapt-pkg4.12 (>= 1.0.9.8.4); however: > Version of libapt-pkg4.12:amd64 on system is 0.9.7.9+deb7u6. > apt depends on libc6 (>= 2.15); however: > Version of libc6:amd64 on system is 2.13-38+deb7u8. > apt depends on libstdc++6 (>= 4.9); however: > Version of libstdc++6:amd64 on system is 4.7.2-5. > > dpkg: error processing apt (--install): > dependency problems - leaving unconfigured > Processing triggers for man-db ... > Errors were encountered while processing: > apt > > > > > Groeten > Geert Stappers >
Need to do this for all 'apt'ish packages. https://www.whonix.org/wiki/CVE-2016-1252
