CVE-2019-3462

@charcol0x89

malicious person

false hash

you

= arbitrary code execution &

legit repo

apt -o Acquire::http::AllowRedirect=false update

apt -o Acquire::http::AllowRedirect=false upgrade

@charcol0x89

https://www.debian.org/security/2019/dsa-4371

@charcol0x89

https://usn.ubuntu.com/3863-2/

https://justi.cz/security/2019/01/22/apt-rce.html

@charcol0x89

1. Encryption

Prevent unauthorised reading of your data

@charcol0x89

2. Attestation

Confirmation from the sender the content is genuine

@charcol0x89

install apt-transport-https

CVE-2019-3462

By Charelle Collett

CVE-2019-3462

Lightning talk for LCA2019

  • 78
Loading comments...

More from Charelle Collett