Announcement

Collapse
No announcement yet.

Debian Bug Found in Python-Apt

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Debian Bug Found in Python-Apt

    https://www.linuxexperten.com/news/d...dsa-python-apt

    I've been wondering if *buntu users will be affected as well. I've only found apt on my Kubuntu Bionic desktop, it says apt version 1.6.12 is installed there, but I don't know if it matters or not...
    Multibooting: Kubuntu Noble 24.04
    Before: Jammy 22.04, Focal 20.04, Precise 12.04 Xenial 16.04 and Bionic 18.04
    Win XP, 7 & 10 sadly
    Using Linux since June, 2008

    #2
    The fix is given here:
    https://usn.ubuntu.com/4247-1/
    22 January 2020
    python-apt vulnerabilities

    A security issue affects these releases of Ubuntu and its derivatives:
    • Ubuntu 19.10
    • Ubuntu 19.04
    • Ubuntu 18.04 LTS
    • Ubuntu 16.04 LTS

    Summary

    Several security issues were fixed in python-apt.
    Software Description

    • python-apt - Python interface to libapt-pkg

    Details

    It was discovered that python-apt would still use MD5 hashes to validate certain downloaded packages. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages. (CVE-2019-15795)
    It was discovered that python-apt could install packages from untrusted repositories, contrary to expectations. (CVE-2019-15796)
    Update instructions

    The problem can be corrected by updating your system to the following package versions:
    Ubuntu 19.10
    python-apt - 1.9.0ubuntu1.2
    python3-apt - 1.9.0ubuntu1.2
    Ubuntu 19.04
    python-apt - 1.8.5~ubuntu0.2
    python3-apt - 1.8.5~ubuntu0.2
    Ubuntu 18.04 LTS
    python-apt - 1.6.5ubuntu0.1
    python3-apt - 1.6.5ubuntu0.1
    Ubuntu 16.04 LTS
    python-apt - 1.1.0~beta1ubuntu0.16.04.7
    python3-apt - 1.1.0~beta1ubuntu0.16.04.7
    The 20.04 patch for python 1.9.4 is pending,
    https://people.canonical.com/~ubuntu...019-15796.html
    Last edited by GreyGeek; Jan 24, 2020, 02:24 PM.
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    Comment


      #3
      python-apt is not likely installed on most systems, being a Python interface to libapt-pkg, and not part of the apt command itself.

      In 18.04 the version is newer than Debian stable already, but not Buster (Testing)
      Note it is not installed here on my pretty stock 18.04 Neon system:
      Code:
      claydoh@claydoh-Elite-8300:~ apt policy python-apt
      python-apt:
        Installed: (none)
        Candidate: 1.6.5ubuntu0.2
        Version table:
           1.6.5ubuntu0.2 500
              500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
              500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
           1.6.0 500
              500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
      However a quick browse of Ubuntu's security tracker website https://usn.ubuntu.com/ shows it has been fixed already:

      https://usn.ubuntu.com/4247-2/

      Heck, I find that by the time many of these newsy websites even notice it, it has long since been updated.

      Ubuntu and Debian more or less cross-feed these things to each other.

      Comment


        #4
        Thank you for the information!
        I'm glad I hadn't installed python-apt then. After reading an issue with Broadcom chips on modems I just started fearing my box could get vulnerated at some point. It's comforting to know I've got nothing to worry about.
        Multibooting: Kubuntu Noble 24.04
        Before: Jammy 22.04, Focal 20.04, Precise 12.04 Xenial 16.04 and Bionic 18.04
        Win XP, 7 & 10 sadly
        Using Linux since June, 2008

        Comment

        Working...
        X