Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

Fri, 16 Dec 2016 06:48:29 -0800 

Idézem/Quoting Geert Stappers <stapp...@stappers.nl>:


On Thu, Dec 15, 2016 at 09:43:59PM +0100, SZÉPE Viktor wrote:

Quoting Patrick Schleizer <adrela...@riseup.net>:

>Very short summary of the bug:
>(my own words) During apt-get upgrading signature verification can be
>tricked resulting in arbitrary package installation, system compromise.
>
>- https://security-tracker.debian.org/tracker/CVE-2016-1252
>- https://www.debian.org/security/2016/dsa-3733
>- https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467
>
>How to upgrade from the insecure apt-get version 1.0.9.8.3 to the
>patched apt-get version 1.0.9.8.4 without being compromised during that
>upgrade?
>

You may download the new package
http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.4_amd64.deb
(for amd64)


By the command
wget http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.4_amd64.deb 



and check its checksum
https://packages.debian.org/jessie/amd64/apt/download

$ sha256sum apt_1.0.9.8.4_amd64.deb

f40e51afbbcf2b1e23442c4c3df064a02ddc27bdfbfb155839577dcb1dedb74a



Then the acual install

sudo dpkg --install apt_1.0.9.8.4_amd64.deb

Which might yield (due my test on a non-up-to-date-system)

(Reading database ... 42686 files and directories currently installed.)
Preparing to replace apt 1.0.9.8.4 (using apt_1.0.9.8.4_amd64.deb) ...
Unpacking replacement apt ...
dpkg: dependency problems prevent configuration of apt:
 apt depends on libapt-pkg4.12 (>= 1.0.9.8.4); however:
  Version of libapt-pkg4.12:amd64 on system is 0.9.7.9+deb7u6.
 apt depends on libc6 (>= 2.15); however:
  Version of libc6:amd64 on system is 2.13-38+deb7u8.
 apt depends on libstdc++6 (>= 4.9); however:
  Version of libstdc++6:amd64 on system is 4.7.2-5.

dpkg: error processing apt (--install):
 dependency problems - leaving unconfigured
Processing triggers for man-db ...
Errors were encountered while processing:
 apt




 Version of libc6:amd64 on system is 2.13-38+deb7u8.


Excuse me. I though you are using jessie.

Please download the version for wheezy.
https://security-tracker.debian.org/tracker/CVE-2016-1252

All the best!
Viktor




SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
--
+36-20-4242498  s...@szepe.net  skype: szepe.viktor
Budapest, III. kerület

Reply via email to