ELA-76-1 apt security update

Redirect header injection vulnerability

Packageapt
Version0.9.7.9+deb7u8
Related CVE CVE-2019-3462

The HTTP redirects handling code did not properly sanitise fields transmitted over the wire. This vulnerability could be used by an man-in-the-middle attacker between APT and a mirror to inject malicious content in the HTTP connection. This content would then be recognised as a valid package by APT and used later for potential code execution with root privileges on the target machine.

Since the vulnerability is present in the package manager itself it is recommended to disable redirects in order to prevent exploitation (during this upgrade only):

apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade

For Debian 7 Wheezy, these problems have been fixed in version 0.9.7.9+deb7u8.

We recommend that you upgrade your apt packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/