APT HTTP Vulnerability


#1

A security researcher just found a security bug in APT (the package manager by default in PureOS) which can result in arbitrary remote code execution from either MitM or compromised repo. There’s also a good PoC video.

https://justi.cz/security/2019/01/22/apt-rce.html

One way to defend against this is by using HTTPS instead of HTTP for APT, via installing apt-transport-https. I also noticed this wasn’t installed by default on PureOS (then again, most distros don’t do this either).

Since these devices are affected, I thought I’d share for your security awareness.


#2

Thanks Jon! Debian has done an update as well: https://www.debian.org/News/2019/20190123
We plan to pull this into PureOS as soon as possible, if not sooner. :slight_smile: