On 1/14/24, Max Nikulin <maniku...@gmail.com> wrote: > On 14/01/2024 04:43, Jeffrey Walton wrote: >> >> And use of HTTP in other fetches is dangerous, and HTTPS should be >> used. See >> <https://www.akamai.com/blog/security/vulnerability-in-debians-advanced-package-tool>. > > https://security-tracker.debian.org/tracker/CVE-2019-3462 > states that this particular vulnerability has been fixed. Do you have > any evidence that APT is still affected by another one related namely to > HTTP? > > Serious vulnerabilities have been found in OpenSSL and other libraries. > Do you think, it is a reason to stop using TLS? > > In the case of APT, unless you disabled it, content is verified using > GPG keys and signatures, see apt-secure(8) and > https://wiki.debian.org/SecureApt > > HTTP clear text communication allows to use caching proxies, so to > decrease load of repository servers and communication channels. > > HTTPS may be a mitigation till a specific fix is installed.
$ date; sudo apt -o Acquire::http::AllowRedirect=false update Thu Jan 18 12:38:19 AM UTC 2024 Get:1 file:/run/live/medium bookworm InRelease Ign:1 file:/run/live/medium bookworm InRelease Get:2 file:/run/live/medium bookworm Release [4,535 B] Get:2 file:/run/live/medium bookworm Release [4,535 B] Get:3 file:/run/live/medium bookworm Release.gpg Ign:3 file:/run/live/medium bookworm Release.gpg Get:4 file:/run/live/medium bookworm/main amd64 Packages [48.2 kB] Get:5 file:/run/live/medium bookworm/non-free-firmware amd64 Packages [30.4 kB] Err:6 http://deb.debian.org/debian bookworm InRelease 302 Found [IP: 151.101.162.132 80] Reading package lists... Done E: Failed to fetch http://deb.debian.org/debian/dists/bookworm/InRelease 302 Found [IP: 151.101.162.132 80] E: The repository 'http://deb.debian.org/debian bookworm InRelease' is no longer signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. $ > Generally just pay attention that GPG keys for repositories are obtained > through trusted channels. How do you functionally (that is, give me the step-by-step command line statements, ... in order to) do that? lbrtchx
