HTTP redirect vulnerability in apt package manager (opens in new tab)

(lists.debian.org)

10 pointsdansimau7y ago5 comments

5 comments

5 comments · 3 top-level

est317y ago· 2 in thread

Weren't PGP signatures supposed to ensure integrity? How is this being bypassed?

detaro7y ago

The attack can inject fake hashes into the process, so it can pretend the file has the correct checksum: https://justi.cz/security/2019/01/22/apt-rce.html

jwilk7y ago

Discussed on HN:

https://news.ycombinator.com/item?id=18968370

mondoshawan7y ago

Ironic, given the previous discussion on why apt shouldn't use HTTPS connections. With full end-to-end SSL validation, this kind of vulnerability can't exist. Should be interesting to see how the community reacta to this.

jwilk7y ago

Please use the original title.

j / k navigate · click thread line to collapse

5 comments

5 comments · 3 top-level

est317y ago· 2 in thread

Weren't PGP signatures supposed to ensure integrity? How is this being bypassed?

detaro7y ago

The attack can inject fake hashes into the process, so it can pretend the file has the correct checksum: https://justi.cz/security/2019/01/22/apt-rce.html

jwilk7y ago

Discussed on HN:

https://news.ycombinator.com/item?id=18968370

mondoshawan7y ago

jwilk7y ago

Please use the original title.

j / k navigate · click thread line to collapse