HTTP redirect vulnerability in apt package manager (lists.debian.org) 10 points by dansimau 7y ago ↗ HN
[–] est31 7y ago ↗ Weren't PGP signatures supposed to ensure integrity? How is this being bypassed? [–] detaro 7y ago ↗ The attack can inject fake hashes into the process, so it can pretend the file has the correct checksum: https://justi.cz/security/2019/01/22/apt-rce.html [–] jwilk 7y ago ↗ Discussed on HN:https://news.ycombinator.com/item?id=18968370
[–] detaro 7y ago ↗ The attack can inject fake hashes into the process, so it can pretend the file has the correct checksum: https://justi.cz/security/2019/01/22/apt-rce.html [–] jwilk 7y ago ↗ Discussed on HN:https://news.ycombinator.com/item?id=18968370
[–] mondoshawan 7y ago ↗ Ironic, given the previous discussion on why apt shouldn't use HTTPS connections. With full end-to-end SSL validation, this kind of vulnerability can't exist. Should be interesting to see how the community reacta to this.
5 comments
[ 2.6 ms ] story [ 27.3 ms ] threadhttps://news.ycombinator.com/item?id=18968370