CVE-2019-3462

NameCVE-2019-3462
DescriptionIncorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1637-1, DSA-4371-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apt (PTS)jessie1.0.9.8.4vulnerable
jessie (security)1.0.9.8.5fixed
stretch (security), stretch1.4.9fixed
buster1.8.0~rc2fixed
sid1.8.0~rc3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aptsource(unstable)1.8.0~alpha3.1
aptsourcejessie1.0.9.8.5DLA-1637-1
aptsourcestretch1.4.9DSA-4371-1

Notes

https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1812353
https://justi.cz/security/2019/01/22/apt-rce.html

Search for package or bug name: Reporting problems