
HTTP redirect vulnerability in apt package manager - dansimau
https://lists.debian.org/debian-security-announce/2019/msg00010.html
======
mondoshawan
Ironic, given the previous discussion on why apt shouldn't use HTTPS
connections. With full end-to-end SSL validation, this kind of vulnerability
can't exist. Should be interesting to see how the community reacta to this.

------
est31
Weren't PGP signatures supposed to ensure integrity? How is this being
bypassed?

~~~
detaro
The attack can inject fake hashes into the process, so it can pretend the file
has the correct checksum: [https://justi.cz/security/2019/01/22/apt-
rce.html](https://justi.cz/security/2019/01/22/apt-rce.html)

~~~
jwilk
Discussed on HN:

[https://news.ycombinator.com/item?id=18968370](https://news.ycombinator.com/item?id=18968370)

------
jwilk
Please use the original title.

