Since Kali appears to also be vulnerable (correct me if I’m wrong) for CVE-2019-3462, what is a safe way to upgrade apt in Kali?
https://security-tracker.debian.org/tracker/CVE-2019-3462
Although there are instructions to do it here for Debian Debian -- Security Information -- DSA-4371-1 apt the mirror can’t be used in Kali (at least on my system) and installing the Debian packages with dpkg -i breaks the system.
Is there any easy and secure way to do this?
Hello there,
Try:
$ apt -v
apt 1.8.0~alpha3.1
$ apt update && apt upgrade
$ apt -v
apt 1.8.0~beta1 (amd64)
$ apt changelog apt
[...]
* SECURITY UPDATE: content injection in http method (CVE-2019-3462)
[...]
@d4rk3r said:
Hello there,Try:
$ apt -v apt 1.8.0~alpha3.1 $ apt update && apt upgrade $ apt -v apt 1.8.0~beta1 (amd64) $ apt changelog apt [...] * SECURITY UPDATE: content injection in http method (CVE-2019-3462) [...]
But the problem here is that with the apt update and && apt upgrade using the vulnerable version, it is susceptible to an injection attack. That was what I’m asking – how to avoid that injection attack.
@raiden99
Sorry about that, changing http to https in source.list should solve your issue. Otherwise download the package and install it manually.
Changing http to https makes the update simply fail on my system.
I’m not an expert in the dependencies and workings of apt especially in the context of the exploit (what exactly is required to exploit it?). I’m sure others that didn’t study this exploit in detail would be wondering the same thing: Is it sufficient to download and manually install Debian -- Package Download Selection -- apt_1.8.2.3_amd64.deb ?
It seems that these packages are to be upgraded if I had let it just go about its business insecurely:
libapt-inst2.0:amd64 (1.4.9, 1.8.0~beta1), apt:amd64 (1.4.9, 1.8.0~beta1), libapt-pkg-dev:amd64 (1.4.9, 1.8.0~beta1), libapt-pkg5.0:amd64 (1.4.9, 1.8.0~beta1), apt-utils:amd64 (1.4.9, 1.8.0~beta1), apt-transport-https:amd64 (1.4.9, 1.8.0~beta1)
Do I need to download each of these, manually, and install? Or is just apt by itself enough to allow safely returning to regular apt update && apt upgrade?
I guess most people that encounter this, including myself, will simply end up getting frustrated and not caring.
Anyone that knows this, feel free to chime in.
According to this article (Remote Code Execution in apt/apt-get) you could run:
sudo apt update -o Acquire::http::AllowRedirect=false
sudo apt upgrade -o Acquire::http::AllowRedirect=false
to avoid redirecting and then upgrade your apt package. Https only works, when apt-transport-https is installed, which is not by default.
After the apt upgrade you could install it and enable/add https repositories.
But it depends on your mirrors, if they redirect by default or not. So this workaround might be pointless.
For upgrading apt by hand, you need the following packages according to your platform:
https://lists.debian.org/debian-security-announce/2019/msg00010.html
Hope, I could help a bit.
Yeah that doesn’t work for me, I’ve tried it. Also, the apt packages in that link are for stretch (correct me if I’m wrong), which Kali doesn’t use.
Sorry for not including the errors I got: Reading package lists... DoneE: Failed to fetch http://http.kali.org/kali/dist - Pastebin.com
you’re saying that we could redirect mirrors ?
Type your comment> @peek said:
you’re saying that we could redirect mirrors ?
I believe he’s quoting the article which is saying we should avoid redirecting.