| Package | apt |
|---|---|
| Version | 0.9.7.9+deb7u8 |
| Related CVEs | CVE-2019-3462 |
The HTTP redirects handling code did not properly sanitise fields transmitted over the wire. This vulnerability could be used by an man-in-the-middle attacker between APT and a mirror to inject malicious content in the HTTP connection. This content would then be recognised as a valid package by APT and used later for potential code execution with root privileges on the target machine.
Since the vulnerability is present in the package manager itself it is recommended to disable redirects in order to prevent exploitation (during this upgrade only):
apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade
For Debian 7 Wheezy, these problems have been fixed in version 0.9.7.9+deb7u8.
We recommend that you upgrade your apt packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.