Debian DLA-1637-1:apt 安全更新(已修订)
high Nessus 插件 ID 121314
语言:
简介
远程 Debian 主机缺少安全更新。描述
(已修订为参阅下方 sources.list 条目中的 jessie,而非稳定版本)Max Justicz 发现,高级别程序包管理软件 APT 中存在漏洞。HTTP 传输方法中处理 HTTP 重定向的代码未正确清理网络上传输的字段。位于 APT 和镜像间作为中间人的攻击者可能会利用此漏洞在 HTTP 连接中注入恶意内容。随后 APT 可能会将此内容识别为有效数据包,之后就可以利用此内容以 root 特权在目标机器上执行代码。由于此漏洞出现在数据包管理软件本身中,因此仅在此升级中建议通过禁用重定向来防止受到利用,使用:apt -o Acquire::http::AllowRedirect=false update apt -o Acquire::http::AllowRedirect=false upgrade 已知在针对 security.debian.org 使用此方法时会破坏某些代理。如果发生此情况,可以将安全 APT 源切换为使用:deb http://cdn-fastly.deb.debian.org/debian-security jessie/updates main 对于 Debian 8“Jessie”,这一问题已在 1.0.9.8.5 版本中修复。建议您升级 apt 程序包。具体升级说明:如果您的情况不允许使用不带重定向的 APT 升级,那么您可以使用下方提供的 URL 验证哈希匹配,并手动下载适用于您的架构的文件(使用 wget/curl)。然后您就可以使用 dpkg -i 安装。架构独立文件:http://security.debian.org/debian-security/pool/updates/main/a/apt/apt -doc_1.0.9.8.5_all.deb 大小/SHA256 校验:301106 47df9567e45fadcd2a56c0fd3d514d8136f2f206aa7baa47405c6fcb94824ab6 http://security.debian.org/debian-security/pool/updates/main/a/apt/lib apt-pkg-doc_1.0.9.8.5_all.deb 大小/SHA256 校验和:750506 ce79b2ef272716b8da11f3fd0497ce0b7ee69c9c66d01669e8abbbfdde5e6256 amd64 架构:http://security.debian.org/debian-security/pool/updates/main/a/apt/lib apt-pkg4.12_1.0.9.8.5_amd64.deb 大小/SHA256 校验和:792126 295d9c69854a4cfbcb46001b09b853f5a098a04c986fc5ae01a0124c1c27e6bd http://security.debian.org/debian-security/pool/updates/main/a/apt/lib apt-inst1.5_1.0.9.8.5_amd64.deb 大小/SHA256 校验和:168896 f9615532b1577b3d1455fa51839ce91765f2860eb3a6810fb5e0de0c87253030 http://security.debian.org/debian-security/pool/updates/main/a/apt/apt _1.0.9.8.5_amd64.deb 大小/SHA256 校验和:1109308 4078748632abc19836d045f80f9d6933326065ca1d47367909a0cf7f29e7dfe8 http://security.debian.org/debian-security/pool/updates/main/a/apt/lib apt-pkg-dev_1.0.9.8.5_amd64.deb 大小/SHA256 校验和:192950 09ef86d178977163b8cf0081d638d74e0a90c805dd77750c1d91354b6840b032 http://security.debian.org/debian-security/pool/updates/main/a/apt/apt -utils_1.0.9.8.5_amd64.deb 大小/SHA256 校验和:368396 87c55d9ccadcabd59674873c221357c774020c116afd978fb9df6d2d0303abf2 http://security.debian.org/debian-security/pool/updates/main/a/apt/apt -transport-https_1.0.9.8.5_amd64.deb 大小/SHA256 校验和:137230 f5a17422fd319ff5f6e3ea9a9e87d2508861830120125484130da8c1fd479df2 armel 架构:http://security.debian.org/debian-security/pool/updates/main/a/apt/lib apt-pkg4.12_1.0.9.8.5_armel.deb 大小/SHA256 校验和:717002 80fe021d87f2444abdd7c5491e7a4bf9ab9cb2b8e6fa72d308905f4e0aad60d4 http://security.debian.org/debian-security/pool/updates/main/a/apt/lib apt-inst1.5_1.0.9.8.5_armel.deb 大小/SHA256 校验和:166784 046fb962fa214c5d6acfb7344e7719f8c4898d87bf29ed3cd2115e3f6cdd14e9 http://security.debian.org/debian-security/pool/updates/main/a/apt/apt _1.0.9.8.5_armel.deb 大小/SHA256 校验和:1067404 f9a257d6aace1f222633e0432abf1d6946bad9dbd0ca18dccb288d50f17b895f http://security.debian.org/debian-security/pool/updates/main/a/apt/lib apt-pkg-dev_1.0.9.8.5_armel.deb 大小/SHA256 校验和:193768 4cb226f55132a68a2f5db925ada6147aaf052adb02301fb45fb0c2d1cfce36f0 http://security.debian.org/debian-security/pool/updates/main/a/apt/apt -utils_1.0.9.8.5_armel.deb 大小/SHA256 校验和:353178 38042838d8bc79642e5389be7d2d2d967cbf316805d4c8c2d6afbe1bc164aacc http://security.debian.org/debian-security/pool/updates/main/a/apt/apt -transport-https_1.0.9.8.5_armel.deb 大小/SHA256 校验和:134932 755b6d22f5914f3153a1c15427e5221507b174c0a4c6b860ebd16234c9e9a146 armhf 架构:http://security.debian.org/debian-security/pool/updates/main/a/apt/lib apt-pkg4.12_1.0.9.8.5_armhf.deb 大小/SHA256 校验和:734302 0f48f6d0406afdf0bd4d39e90e56460fab3d9b5fa4c91e2dca78ec22caf2fe2a http://security.debian.org/debian-security/pool/updates/main/a/apt/lib apt-inst1.5_1.0.9.8.5_armhf.deb 大小/SHA256 校验和:166556 284a1ffd529e1daab3c300be17a20f11450555be9c0af166d9796c18147a03ba http://security.debian.org/debian-security/pool/updates/main/a/apt/apt _1.0.9.8.5_armhf.deb 大小/SHA256 校验和:1078212 08d85c30c8e4a6df0dced8e232a6c7639caa231acef4af8fdee2c1e07f0178ba http://security.debian.org/debian-security/pool/updates/main/a/apt/lib apt-pkg-dev_1.0.9.8.5_armhf.deb 大小/SHA256 校验和:193796 3a26bd79677b46ce0a992e2ac808c4bbd2d5b3fc37b57fc93c8efa114de1adaa http://security.debian.org/debian-security/pool/updates/main/a/apt/apt -utils_1.0.9.8.5_armhf.deb 大小/SHA256 校验和:357074 19dec9ffc0fe4a86d6e61b5213e75c55ae6aaade6f3804f90e2e4034bbdc44d8 http://security.debian.org/debian-security/pool/updates/main/a/apt/apt -transport-https_1.0.9.8.5_armhf.deb 大小/SHA256 校验和:135072 06ba556c5218e58fd14119e3b08a08f685209a0cbe09f2328bd572cabc580bca i386 架构:http://security.debian.org/debian-security/pool/updates/main/a/apt/lib apt-pkg4.12_1.0.9.8.5_i386.deb 大小/SHA256 校验和:800840 201b6cf4625ed175e6a024ac1f7ca6c526ca79d859753c125b02cd69e26c349d http://security.debian.org/debian-security/pool/updates/main/a/apt/lib apt-inst1.5_1.0.9.8.5_i386.deb 大小/SHA256 校验和:170484 5791661dd4ade72b61086fefdc209bd1f76ac7b7c812d6d4ba951b1a6232f0b9 http://security.debian.org/debian-security/pool/updates/main/a/apt/apt _1.0.9.8.5_i386.deb 大小/SHA256 校验和:1110418 13c230e9c544b1e67a8da413046bf1728526372170533b1a23e70cc99c40a228 http://security.debian.org/debian-security/pool/updates/main/a/apt/lib apt-pkg-dev_1.0.9.8.5_i386.deb 大小/SHA256 校验和:193780 c5b1bfa913ea2e2e332c228f5c5fe4dbc11ab334d0551a68ba6e87e94a51ffee http://security.debian.org/debian-security/pool/updates/main/a/apt/apt -utils_1.0.9.8.5_i386.deb 大小/SHA256 校验和:371218 1a74b12c8bb6b3968a721f3aa96739073e4fe2ced9302792c533e21535bc9cf4 http://security.debian.org/debian-security/pool/updates/main/a/apt/apt -transport-https_1.0.9.8.5_i386.deb 大小/SHA256 校验和:139036 32148d92914a97df8bbb9f223e788dcbc7c39e570cf48e6759cb483a65b68666 注意:Tenable Network Security 已直接从 DLA 安全公告中提取上述描述块。Tenable 已尝试在不引入其他问题的情况下,尽可能进行自动整理和排版。解决方案
升级受影响的程序包。另见
http://cdn-fastly.deb.debian.org/debian-security
http://www.nessus.org/u?868b0759
http://www.nessus.org/u?d4ec6efb
http://www.nessus.org/u?985bde3e
http://www.nessus.org/u?10108a63
http://www.nessus.org/u?353fda54
http://www.nessus.org/u?d5383837
http://www.nessus.org/u?f7b7a168
http://www.nessus.org/u?a7d39274
http://www.nessus.org/u?73187c9f
http://www.nessus.org/u?c9f313ea
http://www.nessus.org/u?ce74b7bd
http://www.nessus.org/u?f96c8811
http://www.nessus.org/u?7ccdd0a1
http://www.nessus.org/u?3e388cff
http://www.nessus.org/u?07af7490
http://www.nessus.org/u?aa3c5561
http://www.nessus.org/u?59f97850
http://www.nessus.org/u?aca38205
http://www.nessus.org/u?d45da10d
http://www.nessus.org/u?0f076bbb
http://www.nessus.org/u?9f26eed9
http://www.nessus.org/u?21aa89cb
http://www.nessus.org/u?f455a86b
http://www.nessus.org/u?17636c22
http://www.nessus.org/u?0e4b3dfb
http://www.nessus.org/u?7c4de272
https://lists.debian.org/debian-lts-announce/2019/01/msg00014.html
插件详情
严重性: High
ID: 121314
文件名: debian_DLA-1637.nasl
版本: 1.6
类型: local
代理: unix
发布时间: 2019/1/23
最近更新时间: 2021/1/11
支持的传感器: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus
风险信息
VPR
风险因素: High
分数: 7.4
CVSS v2
风险因素: High
基本分数: 9.3
时间分数: 6.9
矢量: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS v3
风险因素: High
基本分数: 8.1
时间分数: 7.1
矢量: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
时间矢量: CVSS:3.0/E:U/RL:O/RC:C
漏洞信息
CPE: p-cpe:/a:debian:debian_linux:apt, p-cpe:/a:debian:debian_linux:apt-doc, p-cpe:/a:debian:debian_linux:apt-transport-https, p-cpe:/a:debian:debian_linux:apt-utils, p-cpe:/a:debian:debian_linux:libapt-inst1.5, p-cpe:/a:debian:debian_linux:libapt-pkg-dev, p-cpe:/a:debian:debian_linux:libapt-pkg-doc, p-cpe:/a:debian:debian_linux:libapt-pkg4.12, cpe:/o:debian:debian_linux:8.0
必需的 KB 项: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
易利用性: No known exploits are available
补丁发布日期: 2019/1/22
漏洞发布日期: 2019/1/28
参考资料信息
CVE: CVE-2019-3462