偵測

Debian DSA-4371-1:apt - 安全性更新

high Nessus Plugin ID 121317

語系:

概要

遠端 Debian 主機缺少安全性更新。

說明

Max Justicz 在高階套件管理員 APT 中發現一個弱點。HTTP 傳輸方法中處理 HTTP 重新導向的程式碼無法正確清理通過網路傳輸的欄位。位於 APT 和鏡像之間的攔截式攻擊者可利用此弱點,在 HTTP 連線中插入惡意內容。然後,APT 可以將該內容識別為有效的套件,並稍後以目標電腦上的 root 權限將其用於執行程式碼。因為這個弱點存在於套件管理員本身,因此建議停用重新導向,以僅在此升級期間防止弱點遭利用,請使用以下命令:apt -o Acquire::http::AllowRedirect=false update apt -o Acquire::http::AllowRedirect=false upgrade。當用於 security.debian.org 時,已知會損毀某些 proxy。若此情況發生,使用者可切換其安全性 APT 來源以使用:deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main

解決方案

升級 apt 套件。針對穩定的發行版本 (stretch),此問題已在 1.4.9 版本中修正。特定升級指示:如果您的狀況無法使用 APT 在不重新導向的情況下升級,則可以使用下面提供的 URL 手動下載適用於您架構的檔案 (使用 wget/curl),並驗證雜湊是否相符。然後再使用 dpkg -i 進行安裝。來源封存檔:http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9.dsc Size/SHA256 checksum: 2549 986d98b00caac809341f65acb3d14321d645ce8e87e411c26c66bf149a10dfea http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9.tar.xz Size/SHA256 checksum: 2079572 d4d65e7c84da86f3e6dcc933bba46a08db429c9d933b667c864f5c0e880bac0d Architecture independent files : http://security.debian.org/pool/updates/main/a/apt/apt-doc_1.4.9_all. deb Size/SHA256 checksum: 365094 8880640591f64ab7b798f0421d18cba618512ca61ed7c44fbbbb6140423551d5 http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-doc_1.4 .9_all.deb Size/SHA256 checksum: 1004234 42f4c5945c4c471c3985db1cec7adcac516cc21a497a438f3ea0a2bfa7ffe036 amd64 架構:http://security.debian.org/pool/updates/main/a/apt/apt-transport-http s_1.4.9_amd64.deb Size/SHA256 總和檢查碼:170820 c8c4366d1912ff8223615891397a78b44f313b0a2f15a970a82abe48460490cb http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_am d64.deb Size/SHA256 總和檢查碼:409958 fb227d1c4615197a6263e7312851ac3601d946221cfd85f20427a15ab9658d15 http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_amd64.de b Size/SHA256 總和檢查碼:1231594 dddf4ff686845b82c6c778a70f1f607d0bb9f8aa43f2fb7983db4ff1a55f5fae http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4 .9_amd64.deb Size/SHA256 總和檢查碼:192382 a099c57d20b3e55d224433b7a1ee972f6fdb79911322882d6e6f6a383862a57d http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4 .9_amd64.deb Size/SHA256 總和檢查碼:235220 cfb0a03ecd22aba066d97e75d4d00d791c7a3aceb2e5ec4fbee7176389717404 http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4。9_amd64.deb Size/SHA256 總和檢查碼:916448 03281e3d1382826d5989c12c77a9b27f5f752b0f6aa28b524a2df193f7296e0b arm64 架構:http://security.debian.org/pool/updates/main/a/apt/apt-transport-http s_1.4.9_arm64.deb Size/SHA256 總和檢查碼:167674 6635e174290f89555a2eb9cbc083b1fa566b2cd65318212c8c760b87bfb2c544 http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_ar m64.deb Size/SHA256 總和檢查碼:401136 f7e95f4fbc94409ff4dceb16626beb6cd0eecff5e6982e1bf808af014ea7331f http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_arm64.de b Size/SHA256 總和檢查碼:1202864 54abf458ed6b78f56638771fa30cdc9e482469cc0e2dfc2146b3606ea22a3449 http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4 .9_arm64.deb Size/SHA256 總和檢查碼:191188 27d1254e03a80f77458e2c2aceb097c9a85e9cefb4623643a1e25b45e0b889ae http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4 .9_arm64.deb Size/SHA256 總和檢查碼:235220 3f046e34009db988edd4e0474b13100ba92adf3beac16456785ee16940b51f2d http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4。9_arm64.deb Size/SHA256 總和檢查碼:855612 c3b333927f340bb044ec44f2bfe2abced35ebb3e91457ae91249d26058e7b796 armel 架構:http://security.debian.org/pool/updates/main/a/apt/apt-transport-http s_1.4.9_armel.deb Size/SHA256 總和檢查碼:165820 179bcd2457beb0c8449101684c40dc94c9882166b17d584162109928d124cffc http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_ar mel.deb Size/SHA256 總和檢查碼:394280 90f760e7480582bcabc2a2f50a44a2d1f5ce4070370295832bc82424887e5289 http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_armel.de b Size/SHA256 總和檢查碼:1190316 862ba546c54b66732d2a2d17b44aa4d20109f2bd4ba158d62d158ba190eed649 http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4 .9_armel.deb Size/SHA256 總和檢查碼:189878 531e3a673d24b3ae79babc5110d3b27cdbd7a274c0839ff650d691d88d28d8d7 http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4 .9_armel.deb Size/SHA256 總和檢查碼:235218 46ecb77704fb8957505d96bdfa7c1f190559914ad96297a6b15609ed1a1a24d9 http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4。9_armel.deb Size/SHA256 總和檢查碼:829040 6d2ca52d1823ca3100a2bc3d98ed15aca5af1b59203006794b8e8cb4575433b0 armhf 架構:http://security.debian.org/pool/updates/main/a/apt/apt-transport-http s_1.4.9_armhf.deb Size/SHA256 總和檢查碼:166962 523bf76fd9ee262b08fb04ce2afcd5c0d4e81087c111f31179f5ec2882bbbe93 http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_ar mhf.deb Size/SHA256 總和檢查碼:397912 4d4699621974098a2d7d1d76c4ee5995e0a56c40a336bbc008308f799cc6bc77 http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_armhf.de b Size/SHA256 總和檢查碼:1198550 0d2b46b839041ac660a33bb17477e66a5317690135346a9a616dfb2efc07906d http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4 .9_armhf.deb Size/SHA256 總和檢查碼:189906 37acb514874d95cd39991ff0c759bf17ba2d7f1af746b5e0767b1ee2da52f892 http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4 .9_armhf.deb Size/SHA256 總和檢查碼:235220 2596fbe7bbad28d57374a2ab6278e9be7cb01e0eee4733f66b76a62492db46e8 http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4。9_armhf.deb Size/SHA256 總和檢查碼:851386 a7619b4cf5b6205bae21cd25fcc8a856dc108e9f1be6c48e246379f157dc8703 i386 架構:http://security.debian.org/pool/updates/main/a/apt/apt-transport-http s_1.4.9_i386.deb Size/SHA256 總和檢查碼:174508 1e7a22d8f976f56ace375e7e02e19b2629a68e6e28c71d9b9126aa0ac3d3175c http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_i3 86.deb Size/SHA256 總和檢查碼:421244 25835d5ae4330608421ac4cc6e5c938d36590b55f88bae8ba49b8ce95f3edee1 http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_i386.deb Size/SHA256 總和檢查碼:1263876 e5ce4790d6565634199199f6bf1d29986468603748aa56d135067ae878416649 http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4 .9_i386.deb Size/SHA256 總和檢查碼:194534 5937ffef18ef22271a616d32388b50a06ee0ce6ccab90ca870548b9aa5b29e32 http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4 .9_i386.deb Size/SHA256 總和檢查碼:235220 0b045d17a2b45aa59b55c6c5ccd47f738e2edeb189cd892d710f0e35b4d09b27 http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4。9_i386.deb Size/SHA256 總和檢查碼:989166 16e6470005d25741a9bf39c02ba3f287fda0a66dda8a5859c0efa24a97f56351 mips64el 架構:http://security.debian.org/pool/updates/main/a/apt/apt-transport-http s_1.4.9_mips64el.deb Size/SHA256 總和檢查碼:168898 c3af79ed48010edb558d1e80b1a6ee182c66e234506de96c056844743234c9ba http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_mi ps64el.deb Size/SHA256 總和檢查碼:407486 d634b98ae56c7d4e8640fbdb515a17a53d86a3f53a1890edbc40085fa2e6b1be http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_mips64el .deb Size/SHA256 總和檢查碼:1212204 d9d44ffb8b1860071908267ebda728e8d1086fc911eb66e16f52de07547af6da http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4 .9_mips64el.deb Size/SHA256 總和檢查碼:192760 6d3fc127c587cce8de194ea7976e3c2664515f5c7959428d89c0d01affcf8567 http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4 .9_mips64el.deb Size/SHA256 總和檢查碼:235226 30b6ae87ecb434fb008760d2ccd29c2f70cbd44a130eb4731b040d8893dfc909 http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4。9_mips64el.deb Size/SHA256 總和檢查碼:850490 51e697b30b4f9f5ff0d942e04fb48962e6ae9a898d6bd165d16733c064325fd8 mips 架構:http://security.debian.org/pool/updates/main/a/apt/apt-transport-http s_1.4.9_mips.deb Size/SHA256 總和檢查碼:169328 4e9b54777d8c2a5813fa8e4aa395a91b587edd33f4ef661898ada4cbc8943197 http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_mi ps.deb Size/SHA256 總和檢查碼:408388 8a834ddee8e6182de5768e12564137eb063bee6b1918d4c08c88b9c11a4cb856 http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_mips.deb Size/SHA256 總和檢查碼:1212756 ea41a5c84b953bb818a6779a141efdcd3e2b46c895eb64e9c0e11d49755bf256 http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4 .9_mips.deb Size/SHA256 總和檢查碼:192556 2e09a9207914f215686a6b305a0e46bbdeb46c18ba9ea9115631ed216a2896cb http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4 .9_mips.deb Size/SHA256 總和檢查碼:235216 2c582528fb38966de60476e2121037a80d3357fd95cc8e1453c3e5a52d030655 http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4。9_mips.deb Size/SHA256 總和檢查碼:858768 125dcd2c1e284600a94a5a471a96534c03e55c9c3091ad06b8d5bfef4d65a574 mipsel 架構:http://security.debian.org/pool/updates/main/a/apt/apt-transport-http s_1.4.9_mipsel.deb Size/SHA256 總和檢查碼:169958 cea079260b61817bb6163c3268e6714e09326777d8bbc2b70de7bc6f8cf9ef33 http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_mi psel.deb Size/SHA256 總和檢查碼:409708 5f95e0433899d05bceb8150a02ee444cc42476a0c81eb35ed43402a0f4f7f5fd http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_mipsel.d eb Size/SHA256 總和檢查碼:1218954 6eaf9b8d9e0239d2ffcce046892bf0d0553688dfd5e44332c0dbe84a66648545 http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4 .9_mipsel.deb Size/SHA256 總和檢查碼:192822 59c2dcfe8e23f63cd201777a11b45d5833045ada44b616ed059d223cee99311a http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4 .9_mipsel.deb Size/SHA256 總和檢查碼:235216 7fe6c1f8074bff4a29a2988556295ef558b5650edd66145866957e2528c92f7e http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4。9_mipsel.deb Size/SHA256 總和檢查碼:869792 2abb3afa5689f3dd0461b998449934ce06ced68ef6cdc8e4e121196f40bd30e6 ppc64el 架構:http://security.debian.org/pool/updates/main/a/apt/apt-transport-http s_1.4.9_ppc64el.deb Size/SHA256 總和檢查碼:169566 9de5b780e0e0d381bb1f1cfbff5626e36bae7df6ca25f6c49affc650b88cd152 http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_pp c64el.deb Size/SHA256 總和檢查碼:406494 5f66c194b5897c490212c15806821d6f924c1353b5031a11383f3b2ebb25d44c http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_ppc64el. deb Size/SHA256 總和檢查碼:1221036 b6235daa430bd3e6df37855fd8fcebe057c187335c9e45744e35694600475495 http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4 .9_ppc64el.deb Size/SHA256 總和檢查碼:192604 92d4290b343ada2eaca425f09d56d2767b0bca5221957477515fdb9391497fa8 http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4 .9_ppc64el.deb Size/SHA256 總和檢查碼:235222 e6ef81e5f61383584aba546056f43458cd83d1d56a96087301ba0454efdd3941 http://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4。9_ppc64el.deb Size/SHA256 總和檢查碼:888440 0f2987f64499f3b3f15f2d560d2d41ddc71986e557e94a20ea02af4c71481b47

另請參閱

https://security-tracker.debian.org/tracker/source-package/apt

https://packages.debian.org/source/stretch/apt

https://www.debian.org/security/2019/dsa-4371

Plugin 詳細資訊

嚴重性: High

ID: 121317

檔案名稱: debian_DSA-4371.nasl

版本: 1.5

類型: local

代理程式: unix

已發布: 2019/1/23

已更新: 2020/2/25

支援的感應器: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

風險資訊

VPR

風險因素: High

分數: 7.4

CVSS v2

風險因素: High

基本分數: 9.3

時間分數: 6.9

媒介: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3

風險因素: High

基本分數: 8.1

時間分數: 7.1

媒介: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

時間媒介: CVSS:3.0/E:U/RL:O/RC:C

弱點資訊

CPE: p-cpe:/a:debian:debian_linux:apt, cpe:/o:debian:debian_linux:9.0

必要的 KB 項目: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

可輕鬆利用: No known exploits are available

修補程式發佈日期: 2019/1/22

弱點發布日期: 2019/1/28

參考資訊

CVE: CVE-2019-3462

DSA: 4371