ID OPENVAS:1361412562310843878 Type openvas Reporter Copyright (C) 2019 Greenbone Networks GmbH Modified 2019-03-18T00:00:00
Description
The remote host is missing an update for the
###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_ubuntu_USN_3863_1.nasl 14288 2019-03-18 16:34:17Z cfischer $
#
# Ubuntu Update for apt USN-3863-1
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (C) 2019 Greenbone Networks GmbH, http://www.greenbone.net
# Text descriptions are largely excerpted from the referenced
# advisory, and are Copyright (c) the respective author(s)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.843878");
script_version("$Revision: 14288 $");
script_cve_id("CVE-2019-3462");
script_tag(name:"cvss_base", value:"9.3");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_tag(name:"last_modification", value:"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $");
script_tag(name:"creation_date", value:"2019-01-23 04:02:04 +0100 (Wed, 23 Jan 2019)");
script_name("Ubuntu Update for apt USN-3863-1");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2019 Greenbone Networks GmbH");
script_family("Ubuntu Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/ubuntu_linux", "ssh/login/packages", re:"ssh/login/release=UBUNTU(14\.04 LTS|18\.04 LTS|18\.10|16\.04 LTS)");
script_xref(name:"USN", value:"3863-1");
script_xref(name:"URL", value:"http://www.ubuntu.com/usn/usn-3863-1/");
script_tag(name:"summary", value:"The remote host is missing an update for the 'apt'
package(s) announced via the USN-3863-1 advisory.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable package version is present on the target host.");
script_tag(name:"insight", value:"Max Justicz discovered that APT incorrectly handled certain parameters
during redirects. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could potentially be used to install
altered packages.");
script_tag(name:"affected", value:"apt on Ubuntu 18.10,
Ubuntu 18.04 LTS,
Ubuntu 16.04 LTS,
Ubuntu 14.04 LTS.");
script_tag(name:"solution", value:"Please install the updated package(s).");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"package");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-deb.inc");
release = dpkg_get_ssh_release();
if(!release) exit(0);
res = "";
if(release == "UBUNTU14.04 LTS")
{
if ((res = isdpkgvuln(pkg:"apt", ver:"1.0.1ubuntu2.19", rls:"UBUNTU14.04 LTS")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99);
exit(0);
}
if(release == "UBUNTU18.04 LTS")
{
if ((res = isdpkgvuln(pkg:"apt", ver:"1.6.6ubuntu0.1", rls:"UBUNTU18.04 LTS")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99);
exit(0);
}
if(release == "UBUNTU18.10")
{
if ((res = isdpkgvuln(pkg:"apt", ver:"1.7.0ubuntu0.1", rls:"UBUNTU18.10")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99);
exit(0);
}
if(release == "UBUNTU16.04 LTS")
{
if ((res = isdpkgvuln(pkg:"apt", ver:"1.2.29ubuntu0.1", rls:"UBUNTU16.04 LTS")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99);
exit(0);
}
{"id": "OPENVAS:1361412562310843878", "type": "openvas", "bulletinFamily": "scanner", "title": "Ubuntu Update for apt USN-3863-1", "description": "The remote host is missing an update for the ", "published": "2019-01-23T00:00:00", "modified": "2019-03-18T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843878", "reporter": "Copyright (C) 2019 Greenbone Networks GmbH", "references": ["3863-1", "http://www.ubuntu.com/usn/usn-3863-1/"], "cvelist": ["CVE-2019-3462"], "lastseen": "2019-05-29T18:32:23", "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-3462"]}, {"type": "f5", "idList": ["F5:K22356857"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1637-1:9E21E", "DEBIAN:DLA-1637-1:575F5", "DEBIAN:DSA-4371-1:FF7D6"]}, {"type": "nessus", "idList": ["UBUNTU_USN-3863-1.NASL", "DEBIAN_DSA-4371.NASL", "DEBIAN_DLA-1637.NASL"]}, {"type": "ubuntu", "idList": ["USN-3863-2", "USN-3863-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704371", "OPENVAS:1361412562310891637"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:C768FE56A2CAF17D23742FB506948084"]}, {"type": "thn", "idList": ["THN:F6853E831C781800D5D2BCC757A674A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201992718"]}, {"type": "kitploit", "idList": ["KITPLOIT:7323577050718865961"]}], "modified": "2019-05-29T18:32:23", "rev": 2}, "score": {"value": 5.0, "vector": "NONE", "modified": "2019-05-29T18:32:23", "rev": 2}, "vulnersScore": 5.0}, "pluginID": "1361412562310843878", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3863_1.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for apt USN-3863-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2019 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843878\");\n script_version(\"$Revision: 14288 $\");\n script_cve_id(\"CVE-2019-3462\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2019-01-23 04:02:04 +0100 (Wed, 23 Jan 2019)\");\n script_name(\"Ubuntu Update for apt USN-3863-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|18\\.04 LTS|18\\.10|16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"3863-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3863-1/\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'apt'\n package(s) announced via the USN-3863-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Max Justicz discovered that APT incorrectly handled certain parameters\nduring redirects. If a remote attacker were able to perform a\nman-in-the-middle attack, this flaw could potentially be used to install\naltered packages.\");\n\n script_tag(name:\"affected\", value:\"apt on Ubuntu 18.10,\n Ubuntu 18.04 LTS,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apt\", ver:\"1.0.1ubuntu2.19\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU18.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apt\", ver:\"1.6.6ubuntu0.1\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU18.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apt\", ver:\"1.7.0ubuntu0.1\", rls:\"UBUNTU18.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apt\", ver:\"1.2.29ubuntu0.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "naslFamily": "Ubuntu Local Security Checks"}
{"cve": [{"lastseen": "2020-12-09T21:41:52", "description": "Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.", "edition": 8, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-01-28T21:29:00", "title": "CVE-2019-3462", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-3462"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:debian:debian_linux:8.0", "cpe:/a:netapp:active_iq:-", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:18.10", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/a:debian:advanced_package_tool:1.4.8", "cpe:/a:netapp:element_software:-", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2019-3462", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-3462", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:a:debian:advanced_package_tool:1.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq:-:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}], "f5": [{"lastseen": "2020-04-06T22:39:32", "bulletinFamily": "software", "cvelist": ["CVE-2019-3462"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2019-03-06T18:21:00", "published": "2019-03-06T18:21:00", "id": "F5:K22356857", "href": "https://support.f5.com/csp/article/K22356857", "title": "APT remote code injection vulnerability CVE-2019-3462", "type": "f5", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2019-01-23T08:54:08", "bulletinFamily": "info", "cvelist": ["CVE-2019-3462"], "description": "[](<https://1.bp.blogspot.com/-Xr_uh8OpzQw/XEdACUTBDCI/AAAAAAAAzGg/v9nHhEalLNQNwqytRWeiYju9PeZtRbMbgCLcBGAs/s728-e100/linux-apt-https-hacking.png>)\n\nJust in time\u2026 \n \nSome cybersecurity experts this week arguing over Twitter [in favor of not using HTTPS](<https://twitter.com/TheHackersNews/status/1086659984958652416>) and suggesting software developers to only rely on signature-based package verification, just because APT on Linux also does the same. \n \nIronically, a security researcher just today revealed details of a new critical remote code execution flaw in the **apt-get utility** that can be exploited by a remote, man-in-the middle attacker to compromise Linux machines. \n \nThe flaw, apparently, once again demonstrates that if the software download ecosystem uses HTTPS to communicate safely, such attacks can easily be mitigated at the first place. \n \nDiscovered by Max Justicz, the vulnerability (CVE-2019-3462) resides in the APT package manager, a widely used utility that handles installation, update and removal of software on Debian, Ubuntu, and other Linux distributions. \n\n\n \nAccording to a [blog post](<https://justi.cz/security/2019/01/22/apt-rce.html>) published by Justicz and details shared with The Hacker News, the APT utility doesn't properly sanitize certain parameters during HTTP redirects, allowing man-in-the-middle attackers to inject malicious content and trick the system into installing altered packages. \n \nAPT HTTP redirects help Linux machines to automatically find suitable mirror server to download software packages when others are unavailable. If the first server somehow fails, it returns a response with the location of next server from where the client should request the package. \n\n\n> \"Unfortunately, the HTTP fetcher process URL-decodes the HTTP Location header and blindly appends it to the 103 Redirect response,\" Justicz explains.\n\nAs shown by the researcher in a video demonstration shared with The Hacker News, an attacker\u2014intercepting HTTP traffic between APT utility and a mirror server, or just a malicious mirror\u2014can inject malicious packages in the network traffic and execute arbitrary code on the targeted system with the highest level of privileges, i.e. root. \n\n\n> \"You can completely replace the requested package, as in my proof of concept. You could substitute a modified package as well, if you wanted to,\" Justicz told THN.\n\nThough Justicz has not tested, he believes the vulnerability affects all type of package downloads, even if you are installing a package for the very first time or updating an old one. \n\n\nNo doubt, to protect the integrity of the software packages, it's important to use signature-based verification, as software developers do not have control over mirror servers, but that doesn't mean one should ignore benefits of using HTTPS protocol over the complexity of infrastructural upgrades in some particular cases. \n\n\n \nNo software, platform or server can claim to be 100% secure, so adopting the idea of defense-in-depth is never a bad idea to consider. \n \nIt should also be noted that cybersecurity experts do not expect organizations or open-source developers to implement HTTPS overnight, but they should also not even reject the defensive measures completely. \n\n\n> \"By default, Debian and Ubuntu both use plain http repositories out of the box (Debian lets you pick what mirror you want during installation, but doesn't actually ship with support for https repositories \u2013 you have to install apt-transport-https first),\" the researcher explains. \n \n\"Supporting http is fine. I just think it's worth making https repositories the default \u2013 the safer default \u2013 and allowing users to downgrade their security at a later time if they choose to do so.\"\n\nThe developers of APT software have released updated version 1.4.9 to fix the reported remote code execution vulnerability. \n \nSince apt-get is part of many major Linux distributions including [Debian](<https://lists.debian.org/debian-security-announce/2019/msg00010.html>) and [Ubuntu](<https://usn.ubuntu.com/3863-1/>), who have also acknowledged the flaw and released security updates, it is highly recommended for Linux users to update their systems as soon as possible.\n", "modified": "2019-01-23T08:19:45", "published": "2019-01-22T16:20:00", "id": "THN:F6853E831C781800D5D2BCC757A674A8", "href": "https://thehackernews.com/2019/01/linux-apt-http-hacking.html", "type": "thn", "title": "Critical RCE Flaw in Linux APT Allows Remote Attackers to Hack Systems", "cvss": {"score": 0.0, "vector": "NONE"}}], "debian": [{"lastseen": "2020-08-12T01:02:29", "bulletinFamily": "unix", "cvelist": ["CVE-2019-3462"], "description": "Package : apt\nVersion : 1.0.9.8.5\nCVE ID : CVE-2019-3462\nDebian Bug :\n\n(amended to refer to jessie in the sources.list entry below, instead of\n stable)\n\nMax Justicz discovered a vulnerability in APT, the high level package manager.\nThe code handling HTTP redirects in the HTTP transport method doesn't properly\nsanitize fields transmitted over the wire. This vulnerability could be used by\nan attacker located as a man-in-the-middle between APT and a mirror to inject\nmalicous content in the HTTP connection. This content could then be recognized\nas a valid package by APT and used later for code execution with root\nprivileges on the target machine.\n\nSince the vulnerability is present in the package manager itself, it is\nrecommended to disable redirects in order to prevent exploitation during this\nupgrade only, using:\n\n apt -o Acquire::http::AllowRedirect=false update\n apt -o Acquire::http::AllowRedirect=false upgrade\n\nThis is known to break some proxies when used against security.debian.org. If\nthat happens, people can switch their security APT source to use:\n\n deb http://cdn-fastly.deb.debian.org/debian-security jessie/updates main\n\nFor Debian 8 "Jessie", this problem has been fixed in version\n1.0.9.8.5.\n\nWe recommend that you upgrade your apt packages.\n\nSpecific upgrade instructions:\n\nIf upgrading using APT without redirect is not possible in your situation, you\ncan manually download the files (using wget/curl) for your architecture using\nthe URL provided below, verifying that the hashes match. Then you can install\nthem using dpkg -i.\n\nArchitecture independent files:\n\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt-doc_1.0.9.8.5_all.deb\n Size/SHA256 checksum: 301106 47df9567e45fadcd2a56c0fd3d514d8136f2f206aa7baa47405c6fcb94824ab6\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-doc_1.0.9.8.5_all.deb\n Size/SHA256 checksum: 750506 ce79b2ef272716b8da11f3fd0497ce0b7ee69c9c66d01669e8abbbfdde5e6256\n\namd64 architecture:\n\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_amd64.deb\n Size/SHA256 checksum: 792126 295d9c69854a4cfbcb46001b09b853f5a098a04c986fc5ae01a0124c1c27e6bd\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-inst1.5_1.0.9.8.5_amd64.deb\n Size/SHA256 checksum: 168896 f9615532b1577b3d1455fa51839ce91765f2860eb3a6810fb5e0de0c87253030\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_amd64.deb\n Size/SHA256 checksum: 1109308 4078748632abc19836d045f80f9d6933326065ca1d47367909a0cf7f29e7dfe8\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-dev_1.0.9.8.5_amd64.deb\n Size/SHA256 checksum: 192950 09ef86d178977163b8cf0081d638d74e0a90c805dd77750c1d91354b6840b032\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt-utils_1.0.9.8.5_amd64.deb\n Size/SHA256 checksum: 368396 87c55d9ccadcabd59674873c221357c774020c116afd978fb9df6d2d0303abf2\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt-transport-https_1.0.9.8.5_amd64.deb\n Size/SHA256 checksum: 137230 f5a17422fd319ff5f6e3ea9a9e87d2508861830120125484130da8c1fd479df2\n\narmel architecture:\n\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_armel.deb\n Size/SHA256 checksum: 717002 80fe021d87f2444abdd7c5491e7a4bf9ab9cb2b8e6fa72d308905f4e0aad60d4\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-inst1.5_1.0.9.8.5_armel.deb\n Size/SHA256 checksum: 166784 046fb962fa214c5d6acfb7344e7719f8c4898d87bf29ed3cd2115e3f6cdd14e9\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_armel.deb\n Size/SHA256 checksum: 1067404 f9a257d6aace1f222633e0432abf1d6946bad9dbd0ca18dccb288d50f17b895f\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-dev_1.0.9.8.5_armel.deb\n Size/SHA256 checksum: 193768 4cb226f55132a68a2f5db925ada6147aaf052adb02301fb45fb0c2d1cfce36f0\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt-utils_1.0.9.8.5_armel.deb\n Size/SHA256 checksum: 353178 38042838d8bc79642e5389be7d2d2d967cbf316805d4c8c2d6afbe1bc164aacc\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt-transport-https_1.0.9.8.5_armel.deb\n Size/SHA256 checksum: 134932 755b6d22f5914f3153a1c15427e5221507b174c0a4c6b860ebd16234c9e9a146\n\narmhf architecture:\n\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_armhf.deb\n Size/SHA256 checksum: 734302 0f48f6d0406afdf0bd4d39e90e56460fab3d9b5fa4c91e2dca78ec22caf2fe2a\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-inst1.5_1.0.9.8.5_armhf.deb\n Size/SHA256 checksum: 166556 284a1ffd529e1daab3c300be17a20f11450555be9c0af166d9796c18147a03ba\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_armhf.deb\n Size/SHA256 checksum: 1078212 08d85c30c8e4a6df0dced8e232a6c7639caa231acef4af8fdee2c1e07f0178ba\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-dev_1.0.9.8.5_armhf.deb\n Size/SHA256 checksum: 193796 3a26bd79677b46ce0a992e2ac808c4bbd2d5b3fc37b57fc93c8efa114de1adaa\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt-utils_1.0.9.8.5_armhf.deb\n Size/SHA256 checksum: 357074 19dec9ffc0fe4a86d6e61b5213e75c55ae6aaade6f3804f90e2e4034bbdc44d8\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt-transport-https_1.0.9.8.5_armhf.deb\n Size/SHA256 checksum: 135072 06ba556c5218e58fd14119e3b08a08f685209a0cbe09f2328bd572cabc580bca\n\ni386 architecture:\n\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_i386.deb\n Size/SHA256 checksum: 800840 201b6cf4625ed175e6a024ac1f7ca6c526ca79d859753c125b02cd69e26c349d\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-inst1.5_1.0.9.8.5_i386.deb\n Size/SHA256 checksum: 170484 5791661dd4ade72b61086fefdc209bd1f76ac7b7c812d6d4ba951b1a6232f0b9\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_i386.deb\n Size/SHA256 checksum: 1110418 13c230e9c544b1e67a8da413046bf1728526372170533b1a23e70cc99c40a228\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-dev_1.0.9.8.5_i386.deb\n Size/SHA256 checksum: 193780 c5b1bfa913ea2e2e332c228f5c5fe4dbc11ab334d0551a68ba6e87e94a51ffee\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt-utils_1.0.9.8.5_i386.deb\n Size/SHA256 checksum: 371218 1a74b12c8bb6b3968a721f3aa96739073e4fe2ced9302792c533e21535bc9cf4\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt-transport-https_1.0.9.8.5_i386.deb\n Size/SHA256 checksum: 139036 32148d92914a97df8bbb9f223e788dcbc7c39e570cf48e6759cb483a65b68666\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n--\ndebian developer - deb.li/jak | jak-linux.org - free software dev\nubuntu core developer i speak de, en\n", "edition": 11, "modified": "2019-01-22T14:55:53", "published": "2019-01-22T14:55:53", "id": "DEBIAN:DLA-1637-1:575F5", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201901/msg00014.html", "title": "[SECURITY] [DLA 1637-1] apt security update (amended)", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-12T00:56:00", "bulletinFamily": "unix", "cvelist": ["CVE-2019-3462"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4371-1 security@debian.org\nhttps://www.debian.org/security/ Yves-Alexis Perez\nJanuary 22, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : apt\nCVE ID : CVE-2019-3462\n\nMax Justicz discovered a vulnerability in APT, the high level package manager.\nThe code handling HTTP redirects in the HTTP transport method doesn't properly\nsanitize fields transmitted over the wire. This vulnerability could be used by\nan attacker located as a man-in-the-middle between APT and a mirror to inject\nmalicous content in the HTTP connection. This content could then be recognized\nas a valid package by APT and used later for code execution with root\nprivileges on the target machine.\n\nSince the vulnerability is present in the package manager itself, it is\nrecommended to disable redirects in order to prevent exploitation during this\nupgrade only, using:\n\n apt -o Acquire::http::AllowRedirect=false update\n apt -o Acquire::http::AllowRedirect=false upgrade\n\nThis is known to break some proxies when used against security.debian.org. If\nthat happens, people can switch their security APT source to use:\n\n deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 1.4.9.\n\nWe recommend that you upgrade your apt packages.\n\nSpecific upgrade instructions:\n\nIf upgrading using APT without redirect is not possible in your situation, you\ncan manually download the files (using wget/curl) for your architecture using\nthe URL provided below, verifying that the hashes match. Then you can install\nthem using dpkg -i.\n\nSource archives:\n\nhttp://security.debian.org/pool/updates/main/a/apt/apt_1.4.9.dsc\n\tSize/SHA256 checksum:\t2549\t986d98b00caac809341f65acb3d14321d645ce8e87e411c26c66bf149a10dfea\nhttp://security.debian.org/pool/updates/main/a/apt/apt_1.4.9.tar.xz\n\tSize/SHA256 checksum:\t2079572\td4d65e7c84da86f3e6dcc933bba46a08db429c9d933b667c864f5c0e880bac0d\n\nArchitecture independent files:\n\nhttp://security.debian.org/pool/updates/main/a/apt/apt-doc_1.4.9_all.deb\n\tSize/SHA256 checksum:\t365094\t8880640591f64ab7b798f0421d18cba618512ca61ed7c44fbbbb6140423551d5\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg-doc_1.4.9_all.deb\n\tSize/SHA256 checksum:\t1004234\t42f4c5945c4c471c3985db1cec7adcac516cc21a497a438f3ea0a2bfa7ffe036\n\namd64 architecture:\n\nhttp://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_amd64.deb\n\tSize/SHA256 checksum:\t4450936\t1da507155c7b1ad140739c62fdacceaf5b5ee3765b1a00c3a3527d9d82a8d533\nhttp://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_amd64.deb\n\tSize/SHA256 checksum:\t292612\t59f3e1c91664fe3b47048794560ebe9c41f1eeccbdd95f7715282f8cbe449060\nhttp://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_amd64.deb\n\tSize/SHA256 checksum:\t170820\tc8c4366d1912ff8223615891397a78b44f313b0a2f15a970a82abe48460490cb\nhttp://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_amd64.deb\n\tSize/SHA256 checksum:\t1289344\te3e157c291b05b2899a545331c7597ab36ca04e02cd9010562b9985b76af60db\nhttp://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_amd64.deb\n\tSize/SHA256 checksum:\t409958\tfb227d1c4615197a6263e7312851ac3601d946221cfd85f20427a15ab9658d15\nhttp://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_amd64.deb\n\tSize/SHA256 checksum:\t1231594\tdddf4ff686845b82c6c778a70f1f607d0bb9f8aa43f2fb7983db4ff1a55f5fae\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_amd64.deb\n\tSize/SHA256 checksum:\t221646\t0e66db1f74827f06c55ac36cc961e932cd0a9a6efab91b7d1159658bab5f533e\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4.9_amd64.deb\n\tSize/SHA256 checksum:\t192382\ta099c57d20b3e55d224433b7a1ee972f6fdb79911322882d6e6f6a383862a57d\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4.9_amd64.deb\n\tSize/SHA256 checksum:\t235220\tcfb0a03ecd22aba066d97e75d4d00d791c7a3aceb2e5ec4fbee7176389717404\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0-dbgsym_1.4.9_amd64.deb\n\tSize/SHA256 checksum:\t6076102\tcdb03ddd57934e773a579a89f32f11567710a39d6ac289e73efb20e8825874d1\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4.9_amd64.deb\n\tSize/SHA256 checksum:\t916448\t03281e3d1382826d5989c12c77a9b27f5f752b0f6aa28b524a2df193f7296e0b\n\narm64 architecture:\n\nhttp://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_arm64.deb\n\tSize/SHA256 checksum:\t4420208\tc20e28d760cf99005ef16851f3f0c25b576ceaf6e6658a233066800a98c00025\nhttp://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_arm64.deb\n\tSize/SHA256 checksum:\t288966\t6e72a2123194ac5bb678305a67ac9cd4e5ca1df3771f753e4e29bed5e64f82f6\nhttp://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_arm64.deb\n\tSize/SHA256 checksum:\t167674\t6635e174290f89555a2eb9cbc083b1fa566b2cd65318212c8c760b87bfb2c544\nhttp://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_arm64.deb\n\tSize/SHA256 checksum:\t1269592\t8c1970c394c6606f867ef97dd252fdb0aad0c3d2836905d7fcf9c099c55daaaf\nhttp://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_arm64.deb\n\tSize/SHA256 checksum:\t401136\tf7e95f4fbc94409ff4dceb16626beb6cd0eecff5e6982e1bf808af014ea7331f\nhttp://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_arm64.deb\n\tSize/SHA256 checksum:\t1202864\t54abf458ed6b78f56638771fa30cdc9e482469cc0e2dfc2146b3606ea22a3449\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_arm64.deb\n\tSize/SHA256 checksum:\t220694\t8ca1d140c34e5c3b9155cd5e3d7946338c7f5e34794f54cfeae1fd12c213a5e7\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4.9_arm64.deb\n\tSize/SHA256 checksum:\t191188\t27d1254e03a80f77458e2c2aceb097c9a85e9cefb4623643a1e25b45e0b889ae\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4.9_arm64.deb\n\tSize/SHA256 checksum:\t235220\t3f046e34009db988edd4e0474b13100ba92adf3beac16456785ee16940b51f2d\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0-dbgsym_1.4.9_arm64.deb\n\tSize/SHA256 checksum:\t5994222\t0dac2646923b74f9b73b239abee516cc312aabce30fe3fa8d59d1686ba6bae35\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4.9_arm64.deb\n\tSize/SHA256 checksum:\t855612\tc3b333927f340bb044ec44f2bfe2abced35ebb3e91457ae91249d26058e7b796\n\narmel architecture:\n\nhttp://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_armel.deb\n\tSize/SHA256 checksum:\t4350626\t75be53df402a454a4f46c524097addcb7257d3c4505c013af91bd691c656ceb6\nhttp://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_armel.deb\n\tSize/SHA256 checksum:\t281070\t99485a41192493e3ec8e77e02a31169551e61b26e11af3379de28629a5d38942\nhttp://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_armel.deb\n\tSize/SHA256 checksum:\t165820\t179bcd2457beb0c8449101684c40dc94c9882166b17d584162109928d124cffc\nhttp://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_armel.deb\n\tSize/SHA256 checksum:\t1251850\t52a396be4fb97bc8b3ee2b9b1e1e8ce22bf7572a78e21925034151593d661744\nhttp://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_armel.deb\n\tSize/SHA256 checksum:\t394280\t90f760e7480582bcabc2a2f50a44a2d1f5ce4070370295832bc82424887e5289\nhttp://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_armel.deb\n\tSize/SHA256 checksum:\t1190316\t862ba546c54b66732d2a2d17b44aa4d20109f2bd4ba158d62d158ba190eed649\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_armel.deb\n\tSize/SHA256 checksum:\t219874\t52e2e61fa55dfaf76cc93ebde71a4c3cebfa322088f4815ac5b5ddce272c1f06\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4.9_armel.deb\n\tSize/SHA256 checksum:\t189878\t531e3a673d24b3ae79babc5110d3b27cdbd7a274c0839ff650d691d88d28d8d7\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4.9_armel.deb\n\tSize/SHA256 checksum:\t235218\t46ecb77704fb8957505d96bdfa7c1f190559914ad96297a6b15609ed1a1a24d9\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0-dbgsym_1.4.9_armel.deb\n\tSize/SHA256 checksum:\t5907742\t17584936819ecd802f395648da292e3bc8053bffeab1c2d23347b960114282dd\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4.9_armel.deb\n\tSize/SHA256 checksum:\t829040\t6d2ca52d1823ca3100a2bc3d98ed15aca5af1b59203006794b8e8cb4575433b0\n\narmhf architecture:\n\nhttp://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_armhf.deb\n\tSize/SHA256 checksum:\t4350882\t79df1b6169ff455737b48f3d2d9cab7c8b0894fe403aa0a3505affb964d02dca\nhttp://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_armhf.deb\n\tSize/SHA256 checksum:\t281494\tcd9a5535e94d692a654730da247be59b711cab8dddeee6fea3ded9de1bf50370\nhttp://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_armhf.deb\n\tSize/SHA256 checksum:\t166962\t523bf76fd9ee262b08fb04ce2afcd5c0d4e81087c111f31179f5ec2882bbbe93\nhttp://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_armhf.deb\n\tSize/SHA256 checksum:\t1250920\tc0ff4f85f854b3abcc93396bfa724e5866ab4f39a758f5667f93e037b162d34e\nhttp://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_armhf.deb\n\tSize/SHA256 checksum:\t397912\t4d4699621974098a2d7d1d76c4ee5995e0a56c40a336bbc008308f799cc6bc77\nhttp://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_armhf.deb\n\tSize/SHA256 checksum:\t1198550\t0d2b46b839041ac660a33bb17477e66a5317690135346a9a616dfb2efc07906d\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_armhf.deb\n\tSize/SHA256 checksum:\t219930\t9cc01feb0ce145252762cb37a850e6ee47fd3808928c83e4505743b5b17206b4\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4.9_armhf.deb\n\tSize/SHA256 checksum:\t189906\t37acb514874d95cd39991ff0c759bf17ba2d7f1af746b5e0767b1ee2da52f892\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4.9_armhf.deb\n\tSize/SHA256 checksum:\t235220\t2596fbe7bbad28d57374a2ab6278e9be7cb01e0eee4733f66b76a62492db46e8\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0-dbgsym_1.4.9_armhf.deb\n\tSize/SHA256 checksum:\t5898652\t0d47eba6a4969882773f0fe40bc90bd6893cac9268fcbfcc4041ac92b81fbc8f\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4.9_armhf.deb\n\tSize/SHA256 checksum:\t851386\ta7619b4cf5b6205bae21cd25fcc8a856dc108e9f1be6c48e246379f157dc8703\n\ni386 architecture:\n\nhttp://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_i386.deb\n\tSize/SHA256 checksum:\t4311264\t8c5fb2a184aaf8b6953fcee262b130ab83ef90f5a5732b44102e7afc089f7163\nhttp://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_i386.deb\n\tSize/SHA256 checksum:\t281510\t0a8f4895ceac461862c09b74a8b441e9ab41fcd06d00998ed6301f6ab7f7eb51\nhttp://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_i386.deb\n\tSize/SHA256 checksum:\t174508\t1e7a22d8f976f56ace375e7e02e19b2629a68e6e28c71d9b9126aa0ac3d3175c\nhttp://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_i386.deb\n\tSize/SHA256 checksum:\t1238936\tc97d47e8b0e6edab7c3a77b1bd8381b92e926fbfd091585bdb881e741d2f5702\nhttp://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_i386.deb\n\tSize/SHA256 checksum:\t421244\t25835d5ae4330608421ac4cc6e5c938d36590b55f88bae8ba49b8ce95f3edee1\nhttp://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_i386.deb\n\tSize/SHA256 checksum:\t1263876\te5ce4790d6565634199199f6bf1d29986468603748aa56d135067ae878416649\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_i386.deb\n\tSize/SHA256 checksum:\t214690\t8dd9a9359f8cc74e192cb4577ac996a907c643079673e0f0d4fb8949cc4c559c\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4.9_i386.deb\n\tSize/SHA256 checksum:\t194534\t5937ffef18ef22271a616d32388b50a06ee0ce6ccab90ca870548b9aa5b29e32\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4.9_i386.deb\n\tSize/SHA256 checksum:\t235220\t0b045d17a2b45aa59b55c6c5ccd47f738e2edeb189cd892d710f0e35b4d09b27\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0-dbgsym_1.4.9_i386.deb\n\tSize/SHA256 checksum:\t5832816\t82f9dcb1f298b98cce99bf4c80befe9412487479796239f1121baa1c5fe6bb58\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4.9_i386.deb\n\tSize/SHA256 checksum:\t989166\t16e6470005d25741a9bf39c02ba3f287fda0a66dda8a5859c0efa24a97f56351\n\nmips64el architecture:\n\nhttp://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_mips64el.deb\n\tSize/SHA256 checksum:\t4477316\t3130466b56438f0138940c08ca0c9da9dbdbf971e482079f7ca7444d5af872a6\nhttp://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_mips64el.deb\n\tSize/SHA256 checksum:\t296826\t9d74c4cb898ed72619ba2a1bf1f0906fa08224dbbe635d2bdedf15d0fd1ad282\nhttp://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_mips64el.deb\n\tSize/SHA256 checksum:\t168898\tc3af79ed48010edb558d1e80b1a6ee182c66e234506de96c056844743234c9ba\nhttp://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_mips64el.deb\n\tSize/SHA256 checksum:\t1282904\t86c5ff537b95d0d41dfb0b0685f4df4fbecea1651a98845f4fec82b3cc306dd4\nhttp://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_mips64el.deb\n\tSize/SHA256 checksum:\t407486\td634b98ae56c7d4e8640fbdb515a17a53d86a3f53a1890edbc40085fa2e6b1be\nhttp://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_mips64el.deb\n\tSize/SHA256 checksum:\t1212204\td9d44ffb8b1860071908267ebda728e8d1086fc911eb66e16f52de07547af6da\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_mips64el.deb\n\tSize/SHA256 checksum:\t222390\tf357f23f332a543f342c19aa322e02f4cb6557a688ad2dc18ea8abcab871eeb0\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4.9_mips64el.deb\n\tSize/SHA256 checksum:\t192760\t6d3fc127c587cce8de194ea7976e3c2664515f5c7959428d89c0d01affcf8567\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4.9_mips64el.deb\n\tSize/SHA256 checksum:\t235226\t30b6ae87ecb434fb008760d2ccd29c2f70cbd44a130eb4731b040d8893dfc909\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0-dbgsym_1.4.9_mips64el.deb\n\tSize/SHA256 checksum:\t6088584\t295239f32bde382a348384167d46804ce260b96119ffa6b917c5951181e9e92a\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4.9_mips64el.deb\n\tSize/SHA256 checksum:\t850490\t51e697b30b4f9f5ff0d942e04fb48962e6ae9a898d6bd165d16733c064325fd8\n\nmips architecture:\n\nhttp://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_mips.deb\n\tSize/SHA256 checksum:\t4392432\tb9fe6f619cc83779f1d5902400364e0bfc4b6e1c5d5fbd51b7080b8fcc84e64b\nhttp://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_mips.deb\n\tSize/SHA256 checksum:\t295018\td0d607cbdc2f371c283b103111525711a602fa85b4c7a7bbe279178c8d67836c\nhttp://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_mips.deb\n\tSize/SHA256 checksum:\t169328\t4e9b54777d8c2a5813fa8e4aa395a91b587edd33f4ef661898ada4cbc8943197\nhttp://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_mips.deb\n\tSize/SHA256 checksum:\t1253318\tdcd73eb8b89417c1a940501657fed7cdeea5385178770190b41d92fb6bf49e86\nhttp://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_mips.deb\n\tSize/SHA256 checksum:\t408388\t8a834ddee8e6182de5768e12564137eb063bee6b1918d4c08c88b9c11a4cb856\nhttp://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_mips.deb\n\tSize/SHA256 checksum:\t1212756\tea41a5c84b953bb818a6779a141efdcd3e2b46c895eb64e9c0e11d49755bf256\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_mips.deb\n\tSize/SHA256 checksum:\t192358\t33f8fa97ea56e5f07d403fd0df87b43285823880d9d3f6fd22abbf239a9d5c56\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4.9_mips.deb\n\tSize/SHA256 checksum:\t192556\t2e09a9207914f215686a6b305a0e46bbdeb46c18ba9ea9115631ed216a2896cb\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4.9_mips.deb\n\tSize/SHA256 checksum:\t235216\t2c582528fb38966de60476e2121037a80d3357fd95cc8e1453c3e5a52d030655\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0-dbgsym_1.4.9_mips.deb\n\tSize/SHA256 checksum:\t6019436\t348b9ffc965c7a7e04335c5eb3621f65a27fabf46b1fa12f59582fa43cbe480f\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4.9_mips.deb\n\tSize/SHA256 checksum:\t858768\t125dcd2c1e284600a94a5a471a96534c03e55c9c3091ad06b8d5bfef4d65a574\n\nmipsel architecture:\n\nhttp://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_mipsel.deb\n\tSize/SHA256 checksum:\t4239176\te0b0722222426833d2d603a15a91b170213f6aae2ff12551bd81b31323e9f67f\nhttp://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_mipsel.deb\n\tSize/SHA256 checksum:\t285552\t9f56461f5f974b07d25845c11df09307d68e698e4ad58bacec871fa3d0e9acbd\nhttp://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_mipsel.deb\n\tSize/SHA256 checksum:\t169958\tcea079260b61817bb6163c3268e6714e09326777d8bbc2b70de7bc6f8cf9ef33\nhttp://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_mipsel.deb\n\tSize/SHA256 checksum:\t1209848\te58957b39f234048f64fc18c9942d2f52d53c4a60f42c349a65c0ff27a553a04\nhttp://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_mipsel.deb\n\tSize/SHA256 checksum:\t409708\t5f95e0433899d05bceb8150a02ee444cc42476a0c81eb35ed43402a0f4f7f5fd\nhttp://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_mipsel.deb\n\tSize/SHA256 checksum:\t1218954\t6eaf9b8d9e0239d2ffcce046892bf0d0553688dfd5e44332c0dbe84a66648545\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_mipsel.deb\n\tSize/SHA256 checksum:\t185796\t6b68ea266213de56b7eb5253a0d5f770c95234a5f2d4e2847f78d4913c2e735b\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4.9_mipsel.deb\n\tSize/SHA256 checksum:\t192822\t59c2dcfe8e23f63cd201777a11b45d5833045ada44b616ed059d223cee99311a\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4.9_mipsel.deb\n\tSize/SHA256 checksum:\t235216\t7fe6c1f8074bff4a29a2988556295ef558b5650edd66145866957e2528c92f7e\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0-dbgsym_1.4.9_mipsel.deb\n\tSize/SHA256 checksum:\t5783676\t6c4d9f99a16b091672016fd4fe21156e2a4daafb3debfb674c9472f1407a30eb\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4.9_mipsel.deb\n\tSize/SHA256 checksum:\t869792\t2abb3afa5689f3dd0461b998449934ce06ced68ef6cdc8e4e121196f40bd30e6\n\nppc64el architecture:\n\nhttp://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_ppc64el.deb\n\tSize/SHA256 checksum:\t4471286\t916a6677f1d6b82160a82d5b5265df9a00f5f0f3ef34807a1a5673c0b2d1f2a3\nhttp://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_ppc64el.deb\n\tSize/SHA256 checksum:\t297220\tb973d349639fd8acbc9f99c819987cbd15211ee69a7239c3ae1f558ccd46729e\nhttp://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_ppc64el.deb\n\tSize/SHA256 checksum:\t169566\t9de5b780e0e0d381bb1f1cfbff5626e36bae7df6ca25f6c49affc650b88cd152\nhttp://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_ppc64el.deb\n\tSize/SHA256 checksum:\t1281378\t08fc480c70dda285f87d591da10ba0d341569fe9eee1f6db0544fa7234f13632\nhttp://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_ppc64el.deb\n\tSize/SHA256 checksum:\t406494\t5f66c194b5897c490212c15806821d6f924c1353b5031a11383f3b2ebb25d44c\nhttp://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_ppc64el.deb\n\tSize/SHA256 checksum:\t1221036\tb6235daa430bd3e6df37855fd8fcebe057c187335c9e45744e35694600475495\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_ppc64el.deb\n\tSize/SHA256 checksum:\t221220\taf22feaa8ba661ab283580ab1388eec097980fb1b0f11f13a84df45ca78673ee\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0_1.4.9_ppc64el.deb\n\tSize/SHA256 checksum:\t192604\t92d4290b343ada2eaca425f09d56d2767b0bca5221957477515fdb9391497fa8\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg-dev_1.4.9_ppc64el.deb\n\tSize/SHA256 checksum:\t235222\te6ef81e5f61383584aba546056f43458cd83d1d56a96087301ba0454efdd3941\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0-dbgsym_1.4.9_ppc64el.deb\n\tSize/SHA256 checksum:\t6091540\t26a675b4dbf0e69207080f11c1a7e7931cc487d8087b9ce8f200d4fcbdc80fd7\nhttp://security.debian.org/pool/updates/main/a/apt/libapt-pkg5.0_1.4.9_ppc64el.deb\n\tSize/SHA256 checksum:\t888440\t0f2987f64499f3b3f15f2d560d2d41ddc71986e557e94a20ea02af4c71481b47\n\nFor the detailed security status of apt please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/apt\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 11, "modified": "2019-01-22T12:18:38", "published": "2019-01-22T12:18:38", "id": "DEBIAN:DSA-4371-1:FF7D6", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2019/msg00010.html", "title": "[SECURITY] [DSA 4371-1] apt security update", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-12T00:55:34", "bulletinFamily": "unix", "cvelist": ["CVE-2019-3462"], "description": "Package : apt\nVersion : 1.0.9.8.5\nCVE ID : CVE-2019-3462\nDebian Bug :\n\nMax Justicz discovered a vulnerability in APT, the high level package manager.\nThe code handling HTTP redirects in the HTTP transport method doesn't properly\nsanitize fields transmitted over the wire. This vulnerability could be used by\nan attacker located as a man-in-the-middle between APT and a mirror to inject\nmalicous content in the HTTP connection. This content could then be recognized\nas a valid package by APT and used later for code execution with root\nprivileges on the target machine.\n\nSince the vulnerability is present in the package manager itself, it is\nrecommended to disable redirects in order to prevent exploitation during this\nupgrade only, using:\n\n apt -o Acquire::http::AllowRedirect=false update\n apt -o Acquire::http::AllowRedirect=false upgrade\n\nThis is known to break some proxies when used against security.debian.org. If\nthat happens, people can switch their security APT source to use:\n\n deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main\n\nFor Debian 8 "Jessie", this problem has been fixed in version\n1.0.9.8.5.\n\nWe recommend that you upgrade your apt packages.\n\nSpecific upgrade instructions:\n\nIf upgrading using APT without redirect is not possible in your situation, you\ncan manually download the files (using wget/curl) for your architecture using\nthe URL provided below, verifying that the hashes match. Then you can install\nthem using dpkg -i.\n\nArchitecture independent files:\n\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt-doc_1.0.9.8.5_all.deb\n Size/SHA256 checksum: 301106 47df9567e45fadcd2a56c0fd3d514d8136f2f206aa7baa47405c6fcb94824ab6\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-doc_1.0.9.8.5_all.deb\n Size/SHA256 checksum: 750506 ce79b2ef272716b8da11f3fd0497ce0b7ee69c9c66d01669e8abbbfdde5e6256\n\namd64 architecture:\n\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_amd64.deb\n Size/SHA256 checksum: 792126 295d9c69854a4cfbcb46001b09b853f5a098a04c986fc5ae01a0124c1c27e6bd\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-inst1.5_1.0.9.8.5_amd64.deb\n Size/SHA256 checksum: 168896 f9615532b1577b3d1455fa51839ce91765f2860eb3a6810fb5e0de0c87253030\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_amd64.deb\n Size/SHA256 checksum: 1109308 4078748632abc19836d045f80f9d6933326065ca1d47367909a0cf7f29e7dfe8\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-dev_1.0.9.8.5_amd64.deb\n Size/SHA256 checksum: 192950 09ef86d178977163b8cf0081d638d74e0a90c805dd77750c1d91354b6840b032\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt-utils_1.0.9.8.5_amd64.deb\n Size/SHA256 checksum: 368396 87c55d9ccadcabd59674873c221357c774020c116afd978fb9df6d2d0303abf2\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt-transport-https_1.0.9.8.5_amd64.deb\n Size/SHA256 checksum: 137230 f5a17422fd319ff5f6e3ea9a9e87d2508861830120125484130da8c1fd479df2\n\narmel architecture:\n\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_armel.deb\n Size/SHA256 checksum: 717002 80fe021d87f2444abdd7c5491e7a4bf9ab9cb2b8e6fa72d308905f4e0aad60d4\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-inst1.5_1.0.9.8.5_armel.deb\n Size/SHA256 checksum: 166784 046fb962fa214c5d6acfb7344e7719f8c4898d87bf29ed3cd2115e3f6cdd14e9\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_armel.deb\n Size/SHA256 checksum: 1067404 f9a257d6aace1f222633e0432abf1d6946bad9dbd0ca18dccb288d50f17b895f\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-dev_1.0.9.8.5_armel.deb\n Size/SHA256 checksum: 193768 4cb226f55132a68a2f5db925ada6147aaf052adb02301fb45fb0c2d1cfce36f0\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt-utils_1.0.9.8.5_armel.deb\n Size/SHA256 checksum: 353178 38042838d8bc79642e5389be7d2d2d967cbf316805d4c8c2d6afbe1bc164aacc\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt-transport-https_1.0.9.8.5_armel.deb\n Size/SHA256 checksum: 134932 755b6d22f5914f3153a1c15427e5221507b174c0a4c6b860ebd16234c9e9a146\n\narmhf architecture:\n\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_armhf.deb\n Size/SHA256 checksum: 734302 0f48f6d0406afdf0bd4d39e90e56460fab3d9b5fa4c91e2dca78ec22caf2fe2a\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-inst1.5_1.0.9.8.5_armhf.deb\n Size/SHA256 checksum: 166556 284a1ffd529e1daab3c300be17a20f11450555be9c0af166d9796c18147a03ba\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_armhf.deb\n Size/SHA256 checksum: 1078212 08d85c30c8e4a6df0dced8e232a6c7639caa231acef4af8fdee2c1e07f0178ba\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-dev_1.0.9.8.5_armhf.deb\n Size/SHA256 checksum: 193796 3a26bd79677b46ce0a992e2ac808c4bbd2d5b3fc37b57fc93c8efa114de1adaa\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt-utils_1.0.9.8.5_armhf.deb\n Size/SHA256 checksum: 357074 19dec9ffc0fe4a86d6e61b5213e75c55ae6aaade6f3804f90e2e4034bbdc44d8\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt-transport-https_1.0.9.8.5_armhf.deb\n Size/SHA256 checksum: 135072 06ba556c5218e58fd14119e3b08a08f685209a0cbe09f2328bd572cabc580bca\n\ni386 architecture:\n\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_i386.deb\n Size/SHA256 checksum: 800840 201b6cf4625ed175e6a024ac1f7ca6c526ca79d859753c125b02cd69e26c349d\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-inst1.5_1.0.9.8.5_i386.deb\n Size/SHA256 checksum: 170484 5791661dd4ade72b61086fefdc209bd1f76ac7b7c812d6d4ba951b1a6232f0b9\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_i386.deb\n Size/SHA256 checksum: 1110418 13c230e9c544b1e67a8da413046bf1728526372170533b1a23e70cc99c40a228\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-dev_1.0.9.8.5_i386.deb\n Size/SHA256 checksum: 193780 c5b1bfa913ea2e2e332c228f5c5fe4dbc11ab334d0551a68ba6e87e94a51ffee\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt-utils_1.0.9.8.5_i386.deb\n Size/SHA256 checksum: 371218 1a74b12c8bb6b3968a721f3aa96739073e4fe2ced9302792c533e21535bc9cf4\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt-transport-https_1.0.9.8.5_i386.deb\n Size/SHA256 checksum: 139036 32148d92914a97df8bbb9f223e788dcbc7c39e570cf48e6759cb483a65b68666\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n--\ndebian developer - deb.li/jak | jak-linux.org - free software dev\nubuntu core developer i speak de, en\n", "edition": 11, "modified": "2019-01-22T14:32:01", "published": "2019-01-22T14:32:01", "id": "DEBIAN:DLA-1637-1:9E21E", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201901/msg00013.html", "title": "[SECURITY] [DLA 1637-1] apt security update", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-01-29T19:29:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-3462"], "description": "Max Justicz discovered a vulnerability in APT, the high level package manager.\nThe code handling HTTP redirects in the HTTP transport method doesn", "modified": "2020-01-29T00:00:00", "published": "2019-01-22T00:00:00", "id": "OPENVAS:1361412562310891637", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891637", "type": "openvas", "title": "Debian LTS: Security Advisory for apt (DLA-1637-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891637\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2019-3462\");\n script_name(\"Debian LTS: Security Advisory for apt (DLA-1637-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-01-22 00:00:00 +0100 (Tue, 22 Jan 2019)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/01/msg00014.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_tag(name:\"affected\", value:\"apt on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', this problem has been fixed in version\n1.0.9.8.5.\n\nWe recommend that you upgrade your apt packages.\n\nPlease note the specific upgrade instructions within the referenced vendor advisory.\");\n\n script_tag(name:\"summary\", value:\"Max Justicz discovered a vulnerability in APT, the high level package manager.\nThe code handling HTTP redirects in the HTTP transport method doesn't properly\nsanitize fields transmitted over the wire. This vulnerability could be used by\nan attacker located as a man-in-the-middle between APT and a mirror to inject\nmalicious content in the HTTP connection. This content could then be recognized\nas a valid package by APT and used later for code execution with root\nprivileges on the target machine.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"apt\", ver:\"1.0.9.8.4 \", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apt-doc\", ver:\"1.0.9.8.4 \", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apt-transport-https\", ver:\"1.0.9.8.4 \", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apt-utils\", ver:\"1.0.9.8.4 \", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libapt-inst1.5\", ver:\"1.0.9.8.4 \", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libapt-pkg-dev\", ver:\"1.0.9.8.4 \", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libapt-pkg-doc\", ver:\"1.0.9.8.4 \", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libapt-pkg4.12\", ver:\"1.0.9.8.4 \", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-3462"], "description": "Max Justicz discovered a vulnerability in APT, the high level package manager.\nThe code handling HTTP redirects in the HTTP transport method doesn", "modified": "2019-03-18T00:00:00", "published": "2019-01-22T00:00:00", "id": "OPENVAS:1361412562310704371", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704371", "type": "openvas", "title": "Debian Security Advisory DSA 4371-1 (apt - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_4371.nasl 14282 2019-03-18 14:55:18Z cfischer $\n#\n# Auto-generated from advisory DSA 4371-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2019 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704371\");\n script_version(\"$Revision: 14282 $\");\n script_cve_id(\"CVE-2019-3462\");\n script_name(\"Debian Security Advisory DSA 4371-1 (apt - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:55:18 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2019-01-22 00:00:00 +0100 (Tue, 22 Jan 2019)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4371.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2019 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"apt on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), this problem has been fixed in\nversion 1.4.9.\n\nWe recommend that you upgrade your apt packages.\n\nPlease note the specific upgrade instructions within the referenced vendor advisory.\");\n script_tag(name:\"summary\", value:\"Max Justicz discovered a vulnerability in APT, the high level package manager.\nThe code handling HTTP redirects in the HTTP transport method doesn't properly\nsanitize fields transmitted over the wire. This vulnerability could be used by\nan attacker located as a man-in-the-middle between APT and a mirror to inject\nmalicious content in the HTTP connection. This content could then be recognized\nas a valid package by APT and used later for code execution with root\nprivileges on the target machine.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"apt\", ver:\"1.4.9\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apt-doc\", ver:\"1.4.9\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apt-transport-https\", ver:\"1.4.9\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apt-utils\", ver:\"1.4.9\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libapt-inst2.0\", ver:\"1.4.9\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libapt-pkg-dev\", ver:\"1.4.9\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libapt-pkg-doc\", ver:\"1.4.9\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libapt-pkg5.0\", ver:\"1.4.9\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-07-02T11:40:18", "bulletinFamily": "unix", "cvelist": ["CVE-2019-3462"], "description": "Max Justicz discovered that APT incorrectly handled certain parameters \nduring redirects. If a remote attacker were able to perform a \nman-in-the-middle attack, this flaw could potentially be used to install \naltered packages.", "edition": 4, "modified": "2019-01-22T00:00:00", "published": "2019-01-22T00:00:00", "id": "USN-3863-1", "href": "https://ubuntu.com/security/notices/USN-3863-1", "title": "APT vulnerability", "type": "ubuntu", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:36:17", "bulletinFamily": "unix", "cvelist": ["CVE-2019-3462"], "description": "USN-3863-1 fixed a vulnerability in APT. This update provides \nthe corresponding update for Ubuntu 12.04 ESM.\n\nOriginal advisory details:\n\nMax Justicz discovered that APT incorrectly handled certain parameters \nduring redirects. If a remote attacker were able to perform a \nman-in-the-middle attack, this flaw could potentially be used to install \naltered packages.", "edition": 5, "modified": "2019-01-22T00:00:00", "published": "2019-01-22T00:00:00", "id": "USN-3863-2", "href": "https://ubuntu.com/security/notices/USN-3863-2", "title": "APT vulnerability", "type": "ubuntu", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-12T09:40:15", "description": "(amended to refer to jessie in the sources.list entry below, instead\nof stable)\n\nMax Justicz discovered a vulnerability in APT, the high level package\nmanager. The code handling HTTP redirects in the HTTP transport method\ndoesn't properly sanitize fields transmitted over the wire. This\nvulnerability could be used by an attacker located as a\nman-in-the-middle between APT and a mirror to inject malicous content\nin the HTTP connection. This content could then be recognized as a\nvalid package by APT and used later for code execution with root\nprivileges on the target machine.\n\nSince the vulnerability is present in the package manager itself, it\nis recommended to disable redirects in order to prevent exploitation\nduring this upgrade only, using :\n\napt -o Acquire::http::AllowRedirect=false update apt -o\nAcquire::http::AllowRedirect=false upgrade\n\nThis is known to break some proxies when used against\nsecurity.debian.org. If that happens, people can switch their security\nAPT source to use :\n\ndeb http://cdn-fastly.deb.debian.org/debian-security jessie/updates\nmain\n\nFor Debian 8 'Jessie', this problem has been fixed in version\n1.0.9.8.5.\n\nWe recommend that you upgrade your apt packages.\n\nSpecific upgrade instructions :\n\nIf upgrading using APT without redirect is not possible in your\nsituation, you can manually download the files (using wget/curl) for\nyour architecture using the URL provided below, verifying that the\nhashes match. Then you can install them using dpkg -i.\n\nArchitecture independent files :\n\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n-doc_1.0.9.8.5_all.deb Size/SHA256 checksum: 301106\n47df9567e45fadcd2a56c0fd3d514d8136f2f206aa7baa47405c6fcb94824ab6\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-pkg-doc_1.0.9.8.5_all.deb Size/SHA256 checksum: 750506\nce79b2ef272716b8da11f3fd0497ce0b7ee69c9c66d01669e8abbbfdde5e6256\n\namd64 architecture :\n\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-pkg4.12_1.0.9.8.5_amd64.deb Size/SHA256 checksum: 792126\n295d9c69854a4cfbcb46001b09b853f5a098a04c986fc5ae01a0124c1c27e6bd\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-inst1.5_1.0.9.8.5_amd64.deb Size/SHA256 checksum: 168896\nf9615532b1577b3d1455fa51839ce91765f2860eb3a6810fb5e0de0c87253030\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n_1.0.9.8.5_amd64.deb Size/SHA256 checksum: 1109308\n4078748632abc19836d045f80f9d6933326065ca1d47367909a0cf7f29e7dfe8\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-pkg-dev_1.0.9.8.5_amd64.deb Size/SHA256 checksum: 192950\n09ef86d178977163b8cf0081d638d74e0a90c805dd77750c1d91354b6840b032\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n-utils_1.0.9.8.5_amd64.deb Size/SHA256 checksum: 368396\n87c55d9ccadcabd59674873c221357c774020c116afd978fb9df6d2d0303abf2\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n-transport-https_1.0.9.8.5_amd64.deb Size/SHA256 checksum: 137230\nf5a17422fd319ff5f6e3ea9a9e87d2508861830120125484130da8c1fd479df2\n\narmel architecture :\n\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-pkg4.12_1.0.9.8.5_armel.deb Size/SHA256 checksum: 717002\n80fe021d87f2444abdd7c5491e7a4bf9ab9cb2b8e6fa72d308905f4e0aad60d4\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-inst1.5_1.0.9.8.5_armel.deb Size/SHA256 checksum: 166784\n046fb962fa214c5d6acfb7344e7719f8c4898d87bf29ed3cd2115e3f6cdd14e9\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n_1.0.9.8.5_armel.deb Size/SHA256 checksum: 1067404\nf9a257d6aace1f222633e0432abf1d6946bad9dbd0ca18dccb288d50f17b895f\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-pkg-dev_1.0.9.8.5_armel.deb Size/SHA256 checksum: 193768\n4cb226f55132a68a2f5db925ada6147aaf052adb02301fb45fb0c2d1cfce36f0\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n-utils_1.0.9.8.5_armel.deb Size/SHA256 checksum: 353178\n38042838d8bc79642e5389be7d2d2d967cbf316805d4c8c2d6afbe1bc164aacc\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n-transport-https_1.0.9.8.5_armel.deb Size/SHA256 checksum: 134932\n755b6d22f5914f3153a1c15427e5221507b174c0a4c6b860ebd16234c9e9a146\n\narmhf architecture :\n\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-pkg4.12_1.0.9.8.5_armhf.deb Size/SHA256 checksum: 734302\n0f48f6d0406afdf0bd4d39e90e56460fab3d9b5fa4c91e2dca78ec22caf2fe2a\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-inst1.5_1.0.9.8.5_armhf.deb Size/SHA256 checksum: 166556\n284a1ffd529e1daab3c300be17a20f11450555be9c0af166d9796c18147a03ba\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n_1.0.9.8.5_armhf.deb Size/SHA256 checksum: 1078212\n08d85c30c8e4a6df0dced8e232a6c7639caa231acef4af8fdee2c1e07f0178ba\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-pkg-dev_1.0.9.8.5_armhf.deb Size/SHA256 checksum: 193796\n3a26bd79677b46ce0a992e2ac808c4bbd2d5b3fc37b57fc93c8efa114de1adaa\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n-utils_1.0.9.8.5_armhf.deb Size/SHA256 checksum: 357074\n19dec9ffc0fe4a86d6e61b5213e75c55ae6aaade6f3804f90e2e4034bbdc44d8\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n-transport-https_1.0.9.8.5_armhf.deb Size/SHA256 checksum: 135072\n06ba556c5218e58fd14119e3b08a08f685209a0cbe09f2328bd572cabc580bca\n\ni386 architecture :\n\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-pkg4.12_1.0.9.8.5_i386.deb Size/SHA256 checksum: 800840\n201b6cf4625ed175e6a024ac1f7ca6c526ca79d859753c125b02cd69e26c349d\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-inst1.5_1.0.9.8.5_i386.deb Size/SHA256 checksum: 170484\n5791661dd4ade72b61086fefdc209bd1f76ac7b7c812d6d4ba951b1a6232f0b9\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n_1.0.9.8.5_i386.deb Size/SHA256 checksum: 1110418\n13c230e9c544b1e67a8da413046bf1728526372170533b1a23e70cc99c40a228\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-pkg-dev_1.0.9.8.5_i386.deb Size/SHA256 checksum: 193780\nc5b1bfa913ea2e2e332c228f5c5fe4dbc11ab334d0551a68ba6e87e94a51ffee\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n-utils_1.0.9.8.5_i386.deb Size/SHA256 checksum: 371218\n1a74b12c8bb6b3968a721f3aa96739073e4fe2ced9302792c533e21535bc9cf4\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n-transport-https_1.0.9.8.5_i386.deb Size/SHA256 checksum: 139036\n32148d92914a97df8bbb9f223e788dcbc7c39e570cf48e6759cb483a65b68666\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 13, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-01-23T00:00:00", "title": "Debian DLA-1637-1 : apt security update (amended)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-3462"], "modified": "2019-01-23T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libapt-pkg-dev", "p-cpe:/a:debian:debian_linux:apt-utils", "cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:libapt-inst1.5", "p-cpe:/a:debian:debian_linux:libapt-pkg-doc", "p-cpe:/a:debian:debian_linux:libapt-pkg4.12", "p-cpe:/a:debian:debian_linux:apt-doc", "p-cpe:/a:debian:debian_linux:apt", "p-cpe:/a:debian:debian_linux:apt-transport-https"], "id": "DEBIAN_DLA-1637.NASL", "href": "https://www.tenable.com/plugins/nessus/121314", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1637-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121314);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2019-3462\");\n\n script_name(english:\"Debian DLA-1637-1 : apt security update (amended)\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"(amended to refer to jessie in the sources.list entry below, instead\nof stable)\n\nMax Justicz discovered a vulnerability in APT, the high level package\nmanager. The code handling HTTP redirects in the HTTP transport method\ndoesn't properly sanitize fields transmitted over the wire. This\nvulnerability could be used by an attacker located as a\nman-in-the-middle between APT and a mirror to inject malicous content\nin the HTTP connection. This content could then be recognized as a\nvalid package by APT and used later for code execution with root\nprivileges on the target machine.\n\nSince the vulnerability is present in the package manager itself, it\nis recommended to disable redirects in order to prevent exploitation\nduring this upgrade only, using :\n\napt -o Acquire::http::AllowRedirect=false update apt -o\nAcquire::http::AllowRedirect=false upgrade\n\nThis is known to break some proxies when used against\nsecurity.debian.org. If that happens, people can switch their security\nAPT source to use :\n\ndeb http://cdn-fastly.deb.debian.org/debian-security jessie/updates\nmain\n\nFor Debian 8 'Jessie', this problem has been fixed in version\n1.0.9.8.5.\n\nWe recommend that you upgrade your apt packages.\n\nSpecific upgrade instructions :\n\nIf upgrading using APT without redirect is not possible in your\nsituation, you can manually download the files (using wget/curl) for\nyour architecture using the URL provided below, verifying that the\nhashes match. Then you can install them using dpkg -i.\n\nArchitecture independent files :\n\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n-doc_1.0.9.8.5_all.deb Size/SHA256 checksum: 301106\n47df9567e45fadcd2a56c0fd3d514d8136f2f206aa7baa47405c6fcb94824ab6\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-pkg-doc_1.0.9.8.5_all.deb Size/SHA256 checksum: 750506\nce79b2ef272716b8da11f3fd0497ce0b7ee69c9c66d01669e8abbbfdde5e6256\n\namd64 architecture :\n\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-pkg4.12_1.0.9.8.5_amd64.deb Size/SHA256 checksum: 792126\n295d9c69854a4cfbcb46001b09b853f5a098a04c986fc5ae01a0124c1c27e6bd\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-inst1.5_1.0.9.8.5_amd64.deb Size/SHA256 checksum: 168896\nf9615532b1577b3d1455fa51839ce91765f2860eb3a6810fb5e0de0c87253030\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n_1.0.9.8.5_amd64.deb Size/SHA256 checksum: 1109308\n4078748632abc19836d045f80f9d6933326065ca1d47367909a0cf7f29e7dfe8\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-pkg-dev_1.0.9.8.5_amd64.deb Size/SHA256 checksum: 192950\n09ef86d178977163b8cf0081d638d74e0a90c805dd77750c1d91354b6840b032\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n-utils_1.0.9.8.5_amd64.deb Size/SHA256 checksum: 368396\n87c55d9ccadcabd59674873c221357c774020c116afd978fb9df6d2d0303abf2\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n-transport-https_1.0.9.8.5_amd64.deb Size/SHA256 checksum: 137230\nf5a17422fd319ff5f6e3ea9a9e87d2508861830120125484130da8c1fd479df2\n\narmel architecture :\n\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-pkg4.12_1.0.9.8.5_armel.deb Size/SHA256 checksum: 717002\n80fe021d87f2444abdd7c5491e7a4bf9ab9cb2b8e6fa72d308905f4e0aad60d4\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-inst1.5_1.0.9.8.5_armel.deb Size/SHA256 checksum: 166784\n046fb962fa214c5d6acfb7344e7719f8c4898d87bf29ed3cd2115e3f6cdd14e9\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n_1.0.9.8.5_armel.deb Size/SHA256 checksum: 1067404\nf9a257d6aace1f222633e0432abf1d6946bad9dbd0ca18dccb288d50f17b895f\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-pkg-dev_1.0.9.8.5_armel.deb Size/SHA256 checksum: 193768\n4cb226f55132a68a2f5db925ada6147aaf052adb02301fb45fb0c2d1cfce36f0\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n-utils_1.0.9.8.5_armel.deb Size/SHA256 checksum: 353178\n38042838d8bc79642e5389be7d2d2d967cbf316805d4c8c2d6afbe1bc164aacc\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n-transport-https_1.0.9.8.5_armel.deb Size/SHA256 checksum: 134932\n755b6d22f5914f3153a1c15427e5221507b174c0a4c6b860ebd16234c9e9a146\n\narmhf architecture :\n\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-pkg4.12_1.0.9.8.5_armhf.deb Size/SHA256 checksum: 734302\n0f48f6d0406afdf0bd4d39e90e56460fab3d9b5fa4c91e2dca78ec22caf2fe2a\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-inst1.5_1.0.9.8.5_armhf.deb Size/SHA256 checksum: 166556\n284a1ffd529e1daab3c300be17a20f11450555be9c0af166d9796c18147a03ba\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n_1.0.9.8.5_armhf.deb Size/SHA256 checksum: 1078212\n08d85c30c8e4a6df0dced8e232a6c7639caa231acef4af8fdee2c1e07f0178ba\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-pkg-dev_1.0.9.8.5_armhf.deb Size/SHA256 checksum: 193796\n3a26bd79677b46ce0a992e2ac808c4bbd2d5b3fc37b57fc93c8efa114de1adaa\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n-utils_1.0.9.8.5_armhf.deb Size/SHA256 checksum: 357074\n19dec9ffc0fe4a86d6e61b5213e75c55ae6aaade6f3804f90e2e4034bbdc44d8\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n-transport-https_1.0.9.8.5_armhf.deb Size/SHA256 checksum: 135072\n06ba556c5218e58fd14119e3b08a08f685209a0cbe09f2328bd572cabc580bca\n\ni386 architecture :\n\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-pkg4.12_1.0.9.8.5_i386.deb Size/SHA256 checksum: 800840\n201b6cf4625ed175e6a024ac1f7ca6c526ca79d859753c125b02cd69e26c349d\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-inst1.5_1.0.9.8.5_i386.deb Size/SHA256 checksum: 170484\n5791661dd4ade72b61086fefdc209bd1f76ac7b7c812d6d4ba951b1a6232f0b9\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n_1.0.9.8.5_i386.deb Size/SHA256 checksum: 1110418\n13c230e9c544b1e67a8da413046bf1728526372170533b1a23e70cc99c40a228\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/lib\napt-pkg-dev_1.0.9.8.5_i386.deb Size/SHA256 checksum: 193780\nc5b1bfa913ea2e2e332c228f5c5fe4dbc11ab334d0551a68ba6e87e94a51ffee\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n-utils_1.0.9.8.5_i386.deb Size/SHA256 checksum: 371218\n1a74b12c8bb6b3968a721f3aa96739073e4fe2ced9302792c533e21535bc9cf4\nhttp://security.debian.org/debian-security/pool/updates/main/a/apt/apt\n-transport-https_1.0.9.8.5_i386.deb Size/SHA256 checksum: 139036\n32148d92914a97df8bbb9f223e788dcbc7c39e570cf48e6759cb483a65b68666\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://cdn-fastly.deb.debian.org/debian-security\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-doc_1.0.9.8.5_all.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?868b0759\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-transport-https_1.0.9.8.5_amd64.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d4ec6efb\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-transport-https_1.0.9.8.5_armel.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?985bde3e\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-transport-https_1.0.9.8.5_armhf.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?10108a63\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-transport-https_1.0.9.8.5_i386.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?353fda54\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-utils_1.0.9.8.5_amd64.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d5383837\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-utils_1.0.9.8.5_armel.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f7b7a168\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-utils_1.0.9.8.5_armhf.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a7d39274\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/apt-utils_1.0.9.8.5_i386.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?73187c9f\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_amd64.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c9f313ea\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_armel.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ce74b7bd\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_armhf.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f96c8811\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.5_i386.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7ccdd0a1\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-inst1.5_1.0.9.8.5_amd64.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3e388cff\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-inst1.5_1.0.9.8.5_armel.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?07af7490\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-inst1.5_1.0.9.8.5_armhf.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?aa3c5561\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-inst1.5_1.0.9.8.5_i386.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?59f97850\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-dev_1.0.9.8.5_amd64.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?aca38205\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-dev_1.0.9.8.5_armel.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d45da10d\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-dev_1.0.9.8.5_armhf.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0f076bbb\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-dev_1.0.9.8.5_i386.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9f26eed9\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg-doc_1.0.9.8.5_all.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?21aa89cb\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_amd64.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f455a86b\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_armel.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?17636c22\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_armhf.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0e4b3dfb\"\n );\n # http://security.debian.org/debian-security/pool/updates/main/a/apt/libapt-pkg4.12_1.0.9.8.5_i386.deb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7c4de272\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2019/01/msg00014.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/apt\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apt-transport-https\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apt-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libapt-inst1.5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libapt-pkg-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libapt-pkg-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libapt-pkg4.12\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"apt\", reference:\"1.0.9.8.5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apt-doc\", reference:\"1.0.9.8.5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apt-transport-https\", reference:\"1.0.9.8.5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apt-utils\", reference:\"1.0.9.8.5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libapt-inst1.5\", reference:\"1.0.9.8.5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libapt-pkg-dev\", reference:\"1.0.9.8.5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libapt-pkg-doc\", reference:\"1.0.9.8.5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libapt-pkg4.12\", reference:\"1.0.9.8.5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T13:42:12", "description": "Max Justicz discovered a vulnerability in APT, the high level package\nmanager. The code handling HTTP redirects in the HTTP transport method\ndoesn't properly sanitize fields transmitted over the wire. This\nvulnerability could be used by an attacker located as a\nman-in-the-middle between APT and a mirror to inject malicous content\nin the HTTP connection. This content could then be recognized as a\nvalid package by APT and used later for code execution with root\nprivileges on the target machine.\n\nSince the vulnerability is present in the package manager itself, it\nis recommended to disable redirects in order to prevent exploitation\nduring this upgrade only, using :\n\napt -o Acquire::http::AllowRedirect=false update apt -o\nAcquire::http::AllowRedirect=false upgrade\n\nThis is known to break some proxies when used against\nsecurity.debian.org. If that happens, people can switch their security\nAPT source to use the URL linked in the advisory.", "edition": 11, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-01-23T00:00:00", "title": "Debian DSA-4371-1 : apt - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-3462"], "modified": "2019-01-23T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:apt", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4371.NASL", "href": "https://www.tenable.com/plugins/nessus/121317", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4371. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121317);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/02/25\");\n\n script_cve_id(\"CVE-2019-3462\");\n script_xref(name:\"DSA\", value:\"4371\");\n\n script_name(english:\"Debian DSA-4371-1 : apt - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Max Justicz discovered a vulnerability in APT, the high level package\nmanager. The code handling HTTP redirects in the HTTP transport method\ndoesn't properly sanitize fields transmitted over the wire. This\nvulnerability could be used by an attacker located as a\nman-in-the-middle between APT and a mirror to inject malicous content\nin the HTTP connection. This content could then be recognized as a\nvalid package by APT and used later for code execution with root\nprivileges on the target machine.\n\nSince the vulnerability is present in the package manager itself, it\nis recommended to disable redirects in order to prevent exploitation\nduring this upgrade only, using :\n\napt -o Acquire::http::AllowRedirect=false update apt -o\nAcquire::http::AllowRedirect=false upgrade\n\nThis is known to break some proxies when used against\nsecurity.debian.org. If that happens, people can switch their security\nAPT source to use the URL linked in the advisory.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/apt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/apt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2019/dsa-4371\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the apt packages.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 1.4.9.\n\nSpecific upgrade instructions :\n\nIf upgrading using APT without redirect is not possible in your\nsituation, you can manually download the files (using wget/curl) for\nyour architecture using the URL provided in the advisory, verifying\nthat the hashes match. Then you can install them using dpkg -i.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"apt\", reference:\"1.4.9\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apt-doc\", reference:\"1.4.9\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apt-transport-https\", reference:\"1.4.9\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apt-utils\", reference:\"1.4.9\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libapt-inst2.0\", reference:\"1.4.9\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libapt-pkg-dev\", reference:\"1.4.9\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libapt-pkg-doc\", reference:\"1.4.9\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libapt-pkg5.0\", reference:\"1.4.9\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-18T10:57:59", "description": "Max Justicz discovered that APT incorrectly handled certain parameters\nduring redirects. If a remote attacker were able to perform a\nman-in-the-middle attack, this flaw could potentially be used to\ninstall altered packages.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 11, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-01-23T00:00:00", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : APT vulnerability (USN-3863-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-3462"], "modified": "2019-01-23T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:apt", "cpe:/o:canonical:ubuntu_linux:18.10", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3863-1.NASL", "href": "https://www.tenable.com/plugins/nessus/121328", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3863-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121328);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/17\");\n\n script_cve_id(\"CVE-2019-3462\");\n script_xref(name:\"USN\", value:\"3863-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : APT vulnerability (USN-3863-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Max Justicz discovered that APT incorrectly handled certain parameters\nduring redirects. If a remote attacker were able to perform a\nman-in-the-middle attack, this flaw could potentially be used to\ninstall altered packages.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3863-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected apt package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|16\\.04|18\\.04|18\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 18.04 / 18.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"apt\", pkgver:\"1.0.1ubuntu2.19\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"apt\", pkgver:\"1.2.29ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"apt\", pkgver:\"1.6.6ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"apt\", pkgver:\"1.7.0ubuntu0.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apt\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:33:02", "bulletinFamily": "software", "cvelist": ["CVE-2019-3462"], "description": "# \n\n# Severity\n\nHigh\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n * Canonical Ubuntu 16.04\n * Canonical Ubuntu 18.04\n\n# Description\n\nMax Justicz discovered that APT incorrectly handled certain parameters during redirects. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages.\n\nCVEs contained in this USN include: CVE-2019-3462\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is high unless otherwise noted._\n\n * Cloud Foundry BOSH trusty-stemcells are vulnerable, including: \n * 3586.x versions prior to 3586.70\n * 3541.x versions prior to 3541.74\n * 3468.x versions prior to 3468.94\n * 3445.x versions prior to 3445.90\n * All other stemcells not listed.\n * Cloud Foundry BOSH xenial-stemcells are vulnerable, including: \n * 170.x versions prior to 170.23\n * 97.x versions prior to 97.51\n * All other stemcells not listed.\n * All versions of Cloud Foundry cflinuxfs2 prior to 1.260.0\n * All versions of Cloud Foundry cflinuxfs3 prior to 0.51.0\n\n# Mitigation\n\nUsers of affected products are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH trusty-stemcells: \n * Upgrade 3586.x versions to 3586.70\n * Upgrade 3541.x versions to 3541.74\n * Upgrade 3468.x versions to 3468.94\n * Upgrade 3445.x versions to 3445.90\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-trusty>).\n * The Cloud Foundry project recommends upgrading the following BOSH xenial-stemcells: \n * Upgrade 170.x versions to 170.23\n * Upgrade 97.x versions to 97.51\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-xenial>).\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 version 1.260.0 or later.\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs3 version 0.51.0 or later.\n\n# References\n\n * [USN-3863-1](<https://usn.ubuntu.com/3863-1>)\n * [CVE-2019-3462](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-3462>)\n", "edition": 3, "modified": "2019-01-24T00:00:00", "published": "2019-01-24T00:00:00", "id": "CFOUNDRY:C768FE56A2CAF17D23742FB506948084", "href": "https://www.cloudfoundry.org/blog/usn-3863-1/", "title": "USN-3863-1: APT vulnerability | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2019-01-27T23:52:14", "bulletinFamily": "info", "cvelist": [], "description": "0x00 vulnerability background \n2019 1 May 22, @Max Justicz in his blog is disclosed about the debian-based package Manager apt/apt-get remote code execution in some detail. When by APT for any software installation, update, etc., the default will be to go HTTP instead of HTTPS, an attacker can MiTM hijacking and other techniques to hijack HTTP traffic, and through the redirect and the related response of the head structure, perfect to construct a legitimate installation package signature as a way to bypass the APT local signature of the judge. Attack once triggered, it can lead to the target server root privileges is scored. \n360CERT determine the vulnerability serious harm, the impact is limited. Recommended to use Debian-based distro users timely and apt software update or on the server for traffic from search. \n\n0x01 vulnerability details \nFirst, you can capture the observed apt in the package to download and install when the http traffic in the following format: \n102 Status \nURI: http://deb.debian.org/debian/pool/main/c/cowsay/cowsay_3.03+dfsg2-3_all. deb \nMessage: Connecting to prod.debian.map.fastly.net \n102 Status \nURI: http://deb.debian.org/debian/pool/main/c/cowsay/cowsay_3.03+dfsg2-3_all. deb \nMessage: Connecting to prod.debian.map.fastly.net (2a04:4e42:8::204) \n102 Status \nURI: http://deb.debian.org/debian/pool/main/c/cowsay/cowsay_3.03+dfsg2-3_all. deb \nMessage: Waiting for headers \n200 URI Start \nURI: http://deb.debian.org/debian/pool/main/c/cowsay/cowsay_3.03+dfsg2-3_all. deb \nSize: 20070 \nLast-Modified: Tue, 17 Jan 2017 18:05:21 +0000 \n201 URI Done \nURI: http://deb.debian.org/debian/pool/main/c/cowsay/cowsay_3.03+dfsg2-3_all. deb \nFilename: /var/cache/apt/archives/partial/cowsay_3. 03+dfsg2-3_all. deb \nSize: 20070 \nLast-Modified: Tue, 17 Jan 2017 18:05:21 +0000 \nMD5-Hash: 27967ddb76b2c394a0714480b7072ab3 \nMD5Sum-Hash: 27967ddb76b2c394a0714480b7072ab3 \nSHA256-Hash: 858d5116a60ba2acef9f30e08c057ab18b1bd6df5ca61c233b6b7492fbf6b831 \nChecksum-FileSize-Hash: 20070 \nYou can find apt use a 201 response header field value as a check standard. By apt/apt-get during package installation time,HTTP extractor to the HTTP Location header for the URL decoding, and the blind to attach it to the 103 redirect response, and thus lead to vulnerabilities generated. \n// From methods/basehttp. cc \nNextURI = DeQuoteString(Req. Location); \n... \nRedirect(NextURI); \n// From apt-pkg/acquire-method. cc \nvoid pkgAcqMethod::Redirect(const string &NewURI;) \n{ \nstd::cout, \"103 Redirect\\nURI:\" Uri \"\\n\" \n\"New-URI:\" \"\\n\" \n\"\\n\" std::flush; \nDequeue(); \n} \nIf the http server returns a header with: \nLocation: /new-uri%0AFoo%3A%20Bar \nThe post-processing of the response packet are as follows: \n103 Redirect \nURI: http://deb.debian.org/debian/pool/main/c/cowsay/cowsay_3.03+dfsg2-3_all. deb \nNew-URI: http://deb.debian.org/new-uri \nFoo: Bar \nThen again further configured to: \nLocation: /payload%0A%0A201%20URI%20Done%0AURI%3A%20http%3A//deb. debian. org/payload%0AFilename%3A%20/var/lib/apt/lists/deb. debian. org_debian_dists_stretch_Release. gpg%0ASize%3A%2020070%0ALast-Modified%3A%20Tue%2C%2007%20Mar%202017%2000%3A29%3A01%20%2B0000%0AMD5-Hash%3A%2027967ddb76b2c394a0714480b7072ab3%0AMD5Sum-Hash%3A%2027967ddb76b2c394a0714480b7072ab3%0ASHA256-Hash%3A%20858d5116a60ba2acef9f30e08c057ab18b1bd6df5ca61c233b6b7492fbf6b831%0AChecksum-FileSize-Hash%3A%2020070%0A \nIt will form a hazard situation: \n103 Redirect \nURI: http://deb.debian.org/debian/pool/main/c/cowsay/cowsay_3.03+dfsg2-3_all. deb \nNew-URI: http://deb.debian.org/payload \n201 URI Done \nURI: http://deb.debian.org/payload \nFilename: /var/lib/apt/lists/deb. debian. org_debian_dists_stretch_Release. gpg \nSize: 20070 \nLast-Modified: Tue, 07 Mar 2017 00:29:01 +0000 \nMD5-Hash: 27967ddb76b2c394a0714480b7072ab3 \nMD5Sum-Hash: 27967ddb76b2c394a0714480b7072ab3 \nSHA256-Hash: 858d5116a60ba2acef9f30e08c057ab18b1bd6df5ca61c233b6b7492fbf6b831 \nChecksum-FileSize-Hash: 20070 \nThis apt would be the attacker's control, install the specified package and can be perfect through the verification steps, which led apt/apt-get install to unofficial sources in the package. And because apt/apt-get in General case only by permission of the relatively high user to perform, which led to the malicious package can be an arbitrary execution of code/commands. \n\n0x02 patch analysis \nAcqMethod::Redirect function through the NewURI in the character parity check to repair the vulnerability. \n\n0x03 repair recommendations \nDebian can be through added security branch of the source to be updated, the master branch is also affected: \n! [](/Article/UploadPic/2019-1/201912413355455. png) \nEnsure that the /etc/sources. the list contains the following fields: \ndeb http://deb.debian.org/debian-security/ {release version number, for example stretch}/updates main \ndeb-src http://deb.debian.org/debian-security/ {release version number, for example stretch}/updates main \nThen perform the apt update && apt-get install apt to complete the repair update. \nUbuntu can be a package version upgrade corresponding to system upgrade to the following versions: \nUbuntu 18.10 apt \u2013 1.7. 0ubuntu0. 1 \nUbuntu 18.04 LTS apt \u2013 1.6. 6ubuntu0. 1 \nUbuntu 16.04 LTS apt \u2013 1.2. 29ubuntu0. 1 \nUbuntu 14.04 LTS apt \u2013 1.0. 1ubuntu2. 19 \nOr in the update to disable the HTTP redirect: \n$ sudo apt update-o Acquire::http::AllowRedirect=false \n$ sudo apt upgrade-o Acquire::http::AllowRedirect=false \n\n0x04 timeline \n2019-01-22 @Max Justicz disclosure of vulnerability details \n2019-01-23 360CERT warning \n\n", "edition": 1, "modified": "2019-01-24T00:00:00", "published": "2019-01-24T00:00:00", "id": "MYHACK58:62201992718", "href": "http://www.myhack58.com/Article/html/3/62/2019/92718.htm", "title": "CVE-2019-3462: apt/apt-get remote code execution vulnerability alerts-a vulnerability alert-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}], "kitploit": [{"lastseen": "2020-12-08T05:23:24", "bulletinFamily": "tools", "cvelist": ["CVE-2019-6975", "CVE-2018-20346", "CVE-2019-3863", "CVE-2018-20505", "CVE-2018-14404", "CVE-2016-5385", "CVE-2019-11358", "CVE-2019-3861", "CVE-2017-7614", "CVE-2019-3823", "CVE-2018-16840", "CVE-2019-3858", "CVE-2018-14567", "CVE-2018-17456", "CVE-2017-14930", "CVE-2016-1252", "CVE-2015-5224", "CVE-2019-3462", "CVE-2018-20482", "CVE-2018-20685", "CVE-2019-3857", "CVE-2016-0634", "CVE-2018-16890", "CVE-2019-1543", "CVE-2018-3721", "CVE-2018-9251", "CVE-2018-12699", "CVE-2018-14618", "CVE-2019-6109", "CVE-2014-9939", "CVE-2019-5428", "CVE-2016-7543", "CVE-2019-9924", "CVE-2016-9401", "CVE-2011-3374", "CVE-2019-3856", "CVE-2017-13716", "CVE-2016-2779", "CVE-2019-3862", "CVE-2018-19486", "CVE-2018-20506", "CVE-2019-3855", "CVE-2019-3859", "CVE-2019-6111", "CVE-2019-3860", "CVE-2019-3822", "CVE-2018-3741", "CVE-2018-16839", "CVE-2017-8421", "CVE-2018-16842", "CVE-2018-16487"], "description": "A Simple and Comprehensive [ Vulnerability Scanner ](<https://www.kitploit.com/search/label/Vulnerability%20Scanner> \"Vulnerability Scanner\" ) for Containers, Suitable for CI. \n \n\n\n[  ](<https://1.bp.blogspot.com/-1UySMBavE18/XbTjD34g1JI/AAAAAAAAQu4/4Te6530_9tYsuMryQd-Se0KGB4nkAY7IgCNcBGAsYHQ/s1600/trivy_7_usage.gif>)\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-TYOxC4Qbct0/XbTjCrjEsxI/AAAAAAAAQuw/YGfdv_fB-HcijuGyoJsxeM2l4q1D9lcPgCNcBGAsYHQ/s1600/trivy_9_usage2.png>)\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-sAp8dBwyVio/XbTjC1BIl1I/AAAAAAAAQu0/jfNQGljukp47bc9yJ_QX6nghXis43LkJQCNcBGAsYHQ/s1600/trivy_8_usage1.png>)\n\n \n** Abstract ** \n` Trivy ` ( ` tri ` pronounced like ** tri ** gger, ` vy ` pronounced like en ** vy ** ) is a simple and comprehensive vulnerability scanner for containers. A software vulnerability is a glitch, flaw, or weakness present in the software or in an Operating System. ` Trivy ` detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn etc.). ` Trivy ` is easy to use. Just install the binary and you're ready to scan. All you need to do for scanning is to specify an image name of container. \nIt is considered to be used in CI. Before pushing to a container registry, you can scan your local container image easily. See [ here ](<https://github.com/aquasecurity/trivy#continuous-integration-ci> \"here\" ) for details. \n \n** Features ** \n\n\n * Detect comprehensive vulnerabilities \n * OS packages (Alpine, ** Red Hat Universal Base Image ** , [ Red Hat Enterprise ](<https://www.kitploit.com/search/label/Red%20Hat%20Enterprise> \"Red Hat Enterprise\" ) Linux, CentOS, Debian and Ubuntu) \n * ** Application dependencies ** (Bundler, Composer, Pipenv, Poetry, npm, yarn and Cargo) \n * Simple \n * Specify only an image name \n * See [ Quick Start ](<https://github.com/aquasecurity/trivy#quick-start> \"Quick Start\" ) and [ Examples ](<https://github.com/aquasecurity/trivy#examples> \"Examples\" )\n * Easy installation \n * ` apt-get install ` , ` yum install ` and ` brew install ` is possible (See [ Installation ](<https://github.com/aquasecurity/trivy#installation> \"Installation\" ) ) \n * ** No need for prerequirements ** such as installation of DB, libraries, etc. (The exception is that you need ` rpm ` installed to scan images based on RHEL/CentOS. This is automatically included if you use our installers or the Trivy container image. See [ Vulnerability Detection ](<https://github.com/aquasecurity/trivy#vulnerability-detection> \"Vulnerability Detection\" ) for background information.) \n * High accuracy \n * ** Especially Alpine Linux and RHEL/CentOS **\n * Other OSes are also high \n * DevSecOps \n * ** Suitable for CI ** such as Travis CI, CircleCI, Jenkins, etc. \n * See [ CI Example ](<https://github.com/aquasecurity/trivy#continuous-integration-ci> \"CI Example\" )\n \n** Installation ** \n \n** RHEL/CentOS ** \nAdd repository setting to ` /etc/yum.repos.d ` . \n\n \n \n $ sudo vim /etc/yum.repos.d/trivy.repo\n [trivy]\n name=Trivy repository\n baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/\n gpgcheck=0\n enabled=1\n $ sudo yum -y update\n $ sudo yum -y install trivy\n\nor \n\n \n \n $ rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.1.6/trivy_0.1.6_Linux-64bit.rpm\n\n \n** Debian/Ubuntu ** \nAdd repository to ` /etc/apt/sources.list.d ` . \n\n \n \n $ sudo apt-get install wget apt-transport-https gnupg lsb-release\n $ wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -\n $ echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list\n $ sudo apt-get update\n $ sudo apt-get install trivy\n\nor \n\n \n \n $ sudo apt-get install rpm\n $ wget https://github.com/aquasecurity/trivy/releases/download/v0.1.6/trivy_0.1.6_Linux-64bit.deb\n $ sudo dpkg -i trivy_0.1.6_Linux-64bit.deb\n\n \n** Arch Linux ** \nPackage trivy-bin can be installed from the Arch User Repository. Examples: \n\n \n \n pikaur -Sy trivy-bin\n\nor \n\n \n \n yay -Sy trivy-bin\n\n \n** Homebrew ** \nYou can use homebrew on macOS. \n\n \n \n $ brew install aquasecurity/trivy/trivy\n\n \n** Binary (Including Windows) ** \nGet the latest version from [ this page ](<https://github.com/aquasecurity/trivy/releases/latest> \"this page\" ) , and download the archive file for your operating system/architecture. Unpack the archive, and put the binary somewhere in your ` $PATH ` (on UNIX-y systems, /usr/local/bin or the like). Make sure it has execution bits turned on. \nYou also need to install ` rpm ` command for scanning images based on RHEL/CentOS. \n \n** From source ** \n\n \n \n $ mkdir -p $GOPATH/src/github.com/aquasecurity\n $ cd $GOPATH/src/github.com/aquasecurity\n $ git clone https://github.com/aquasecurity/trivy\n $ cd trivy/cmd/trivy/\n $ export GO111MODULE=on\n $ go install\n\nYou also need to install ` rpm ` command for scanning images based on RHEL/CentOS. \n \n** Quick Start ** \nSimply specify an image name (and a tag). ** The ` latest ` tag should be avoided as problems occur with cache. ** . See [ Clear image caches ](<https://github.com/aquasecurity/trivy#clear-image-caches> \"Clear image caches\" ) . \n \n** Basic ** \n\n \n \n $ trivy [YOUR_IMAGE_NAME]\n\nFor example: \n\n \n \n $ trivy python:3.4-alpine\n\n \n \nResult \n\n \n \n 2019-05-16T01:20:43.180+0900 INFO Updating vulnerability database...\n 2019-05-16T01:20:53.029+0900 INFO Detecting Alpine vulnerabilities...\n \n python:3.4-alpine3.9 (alpine 3.9.2)\n ===================================\n Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n \n +---------+------------------+----------+-------------------+---------------+--------------------------------+\n | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n +---------+------------------+----------+-------------------+---------------+--------------------------------+\n | openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |\n | | | | | | with long nonces |\n +---------+------------------+----------+-------------------+---------------+------------------- -------------+\n\n \n** Docker ** \nReplace [YOUR_CACHE_DIR] with the cache directory on your machine. \n\n \n \n $ docker run --rm -v [YOUR_CACHE_DIR]:/root/.cache/ aquasec/trivy [YOUR_IMAGE_NAME]\n\nExample for macOS: \n\n \n \n $ docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy python:3.4-alpine\n\nIf you would like to scan the image on your host machine, you need to mount ` docker.sock ` . \n\n \n \n $ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \\\n -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy python:3.4-alpine\n\nPlease re-pull latest ` aquasec/trivy ` if an error occurred. \n \n \nResult \n\n \n \n 2019-05-16T01:20:43.180+0900 INFO Updating vulnerability database...\n 2019-05-16T01:20:53.029+0900 INFO Detecting Alpine vulnerabilities...\n \n python:3.4-alpine3.9 (alpine 3.9.2)\n ===================================\n Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n \n +---------+------------------+----------+-------------------+---------------+--------------------------------+\n | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n +---------+------------------+----------+-------------------+---------------+--------------------------------+\n | openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |\n | | | | | | with long nonces |\n +---------+------------------+----------+-------------------+---------------+------------------- -------------+\n\n \n** Examples ** \n \n** Scan an image ** \nSimply specify an image name (and a tag). \n\n \n \n $ trivy knqyf263/vuln-image:1.2.3\n\n \n \nResult \n\n \n \n 2019-05-16T12:58:55.967+0900 INFO Updating vulnerability database...\n 2019-05-16T12:59:03.150+0900 INFO Detecting Alpine vulnerabilities...\n 2019-05-16T12:59:03.156+0900 INFO Updating bundler Security DB...\n 2019-05-16T12:59:04.941+0900 INFO Detecting bundler vulnerabilities...\n 2019-05-16T12:59:04.942+0900 INFO Updating cargo Security DB...\n 2019-05-16T12:59:05.967+0900 INFO Detecting cargo vulnerabilities...\n 2019-05-16T12:59:05.967+0900 INFO Updating composer Security DB...\n 2019-05-16T12:59:07.834+0900 INFO Detecting composer vulnerabilities...\n 2019-05-16T12:59:07.834+0900 INFO Updating npm Security DB...\n 2019-05-16T12:59:10.285+0900 INFO Detecting npm vulnerabilities...\n 2019-05-16T12:59:10.285+0900 INFO Updating pipenv Security DB...\n 2019-05-16T12:59:11.487+0900 INFO Detecting pipenv vulnerabilities...\n \n knqyf263/vuln-image:1.2.3 (alpine 3.7.1)\n ===== ===================================\n Total: 26 (UNKNOWN: 0, LOW: 3, MEDIUM: 16, HIGH: 5, CRITICAL: 2)\n \n +---------+------------------+----------+-------------------+---------------+----------------------------------+\n | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n +---------+------------------+----------+-------------------+---------------+----------------------------------+\n | curl | CVE-2018-14618 | CRITICAL | 7.61.0-r0 | 7.61.1-r0 | curl: NTLM password overflow |\n | | | | | | via integer overflow |\n + +------------------+----------+ +---------------+----------------------------------+\n | | CVE-2018-16839 | HIGH | | 7.61.1-r1 | curl: Integer overflow leading |\n | | | | | | to heap-based buffer overflow in |\n | | | | | | Curl_sasl_create_plain_message() |\n + +------------------+ + +---------------+----------------------------------+\n | | CVE-2019-3822 | | | 7.61.1-r2 | curl: NTLMv2 type-3 header |\n | | | | | | stack buffer overflow |\n + +------------------+ + +---------------+----------------------------------+\n | | CVE-2018-16840 | | | 7.61.1-r1 | curl: Use-after-free when |\n | | | | | | closing \"easy\" handle in |\n | | | | | | Curl_close() |\n + +------------------+----------+ + +----------------------------------+\n | | CVE-2018-16842 | MEDIUM | | | curl: Heap-based buffer |\n | | | | | | over-read in the curl tool |\n | | | | | | warning formatting |\n + +------------------+ + +---------------+----------------------------------+\n | | CVE-2018-16890 | | | 7.61.1-r2 | curl: NTLM type-2 heap |\n | | | | | | out-of-bounds buffer read |\n + +------------------+ + + +----------------------------------+\n | | CVE-2019-3823 | | | | curl: SMTP end-of-response |\n | | | | | | out-of-bounds read |\n +---------+------------------+----------+-------------------+---------------+----------------------------------+\n | git | CVE-2018-17456 | HIGH | 2.15.2-r0 | 2.15.3-r0 | git: arbitrary code execution |\n | | | | | | via .gitmodules |\n + +------------------+ + + +----------------------------------+\n | | CVE-2018-19486 | | | | git: Improper handling of |\n | | | | | | PATH allows for commands to be |\n | | | | | | executed from... |\n +---------+-- ----------------+----------+-------------------+---------------+----------------------------------+\n | libssh2 | CVE-2019-3855 | CRITICAL | 1.8.0-r2 | 1.8.1-r0 | libssh2: Integer overflow in |\n | | | | | | transport read resulting in |\n | | | | | | out of bounds write... |\n + +------------------+----------+ + +----------------------------------+\n | | CVE-2019-3859 | MEDIUM | | | libssh2: Unchecked use of |\n | | | | | | _libssh2_packet_require and |\n | | | | | | _libssh2_packet_requirev |\n | | | | | | resulting in out-of-bounds |\n | | | | | | read |\n + +------------------+ + + +----------------------------------+\n | | CVE-2019-3858 | | | | libssh2: Zero-byte allocation |\n | | | | | | with a specially crafted SFTP |\n | | | | | | packed leading to an... |\n + +------------------+ + + +----------------------------------+\n | | CVE-2019-3863 | | | | libssh2: Integer overflow |\n | | | | | | in user authenticate |\n | | | | | | keyboard interactive allows |\n | | | | | | out-of-bounds writes |\n + +------------------+ + + +----------------------------------+\n | | CVE-2019-3862 | | | | libssh2: Out-of-bounds memory |\n | | | | | | comparison with specially |\n | | | | | | crafted message channel |\n | | | | | | request |\n + +------------------+ + + +----------------------------------+\n | | CVE-2019-3860 | | | | l ibssh2: Out-of-bounds reads |\n | | | | | | with specially crafted SFTP |\n | | | | | | packets |\n + +------------------+ + + +----------------------------------+\n | | CVE-2019-3857 | | | | libssh2: Integer overflow in |\n | | | | | | SSH packet processing channel |\n | | | | | | resulting in out of... |\n + +------------------+ + + +----------------------------------+\n | | CVE-2019-3861 | | | | libssh2: Out-of-bounds reads |\n | | | | | | with specially crafted SSH |\n | | | | | | packets |\n + +------------------+ + + +----------------------------------+\n | | CVE-2019-3856 | | | | libssh2: Integer overflow in |\n | | | | | | keyboard interactive handling |\n | | | | | | resulting in out of bounds... |\n +---------+------------------+ +-------------------+---------------+----------------------------------+\n | libxml2 | CVE-2018-14567 | | 2.9.7-r0 | 2.9.8-r1 | libxml2: Infinite loop when |\n | | | | | | --with-lzma is used allows for |\n | | | | | | denial of service... |\n + +------------------+ + + +----------------------------------+\n | | CVE-2018-14404 | | | | libxml2: NULL pointer |\n | | | | | | dereference in |\n | | | | | | xpath.c:xmlXPathCompOpEval() |\n | | | | | | can allow attackers to cause |\n | | | | | | a... |\n + +------------------+- ---------+ + +----------------------------------+\n | | CVE-2018-9251 | LOW | | | libxml2: infinite loop in |\n | | | | | | xz_decomp function in xzlib.c |\n +---------+------------------+----------+-------------------+---------------+----------------------------------+\n | openssh | CVE-2019-6109 | MEDIUM | 7.5_p1-r9 | 7.5_p1-r10 | openssh: Missing character |\n | | | | | | encoding in progress display |\n | | | | | | allows for spoofing of scp... |\n + +------------------+ + + +----------------------------------+\n | | CVE-2019-6111 | | | | openssh: Impro per validation |\n | | | | | | of object names allows |\n | | | | | | malicious server to overwrite |\n | | | | | | files... |\n + +------------------+----------+ + +----------------------------------+\n | | CVE-2018-20685 | LOW | | | openssh: scp client improper |\n | | | | | | directory name validation |\n +---------+------------------+----------+-------------------+---------------+----------------------------------+\n | sqlite | CVE-2018-20346 | MEDIUM | 3.21.0-r1 | 3.25.3-r0 | sqlite: Multiple flaws in |\n | | | | | | sqlite which can be triggered |\n | | | | | | via corrupted internal... |\n +---------+------------------+----------+-------------------+---------------+----------------------------------+\n | tar | CVE-2018-20482 | LOW | 1.29-r1 | 1.31-r0 | tar: Infinite read loop in |\n | | | | | | sparse_dump_region function in |\n | | | | | | sparse.c |\n +---------+------------------+----------+-------------------+---------------+----------------------------------+\n \n ruby-app/Gemfile.lock\n =====================\n Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n \n +----------------------+------------------+----------+-------------------+----------- ----+--------------------------------+\n | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n +----------------------+------------------+----------+-------------------+---------------+--------------------------------+\n | rails-html-sanitizer | CVE-2018-3741 | MEDIUM | 1.0.3 | >= 1.0.4 | rubygem-rails-html-sanitizer: |\n | | | | | | non-whitelisted attributes |\n | | | | | | are present in sanitized |\n | | | | | | output when input with |\n | | | | | | specially-crafted... |\n +----------------------+------------------+----------+- ------------------+---------------+--------------------------------+\n \n rust-app/Cargo.lock\n ===================\n Total: 3 (UNKNOWN: 3, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n \n +---------+-------------------+----------+-------------------+---------------+--------------------------------+\n | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n +---------+-------------------+----------+-------------------+---------------+--------------------------------+\n | ammonia | RUSTSEC-2019-0001 | UNKNOWN | 1.9.0 | >= 2.1.0 | Uncontrolled recursion leads |\n | | | | | | to abort in HTML serialization |\n +---------+-------------------+ +-------------------+---------------+--------------------------------+\n | openssl | RUSTSEC-2016-0001 | | 0.8.3 | >= 0.9.0 | SSL/TLS MitM vulne rability due |\n | | | | | | to insecure defaults |\n + +-------------------+ + +---------------+--------------------------------+\n | | RUSTSEC-2018-0010 | | | >= 0.10.9 | Use after free in CMS Signing |\n +---------+-------------------+----------+-------------------+---------------+--------------------------------+\n \n php-app/composer.lock\n =====================\n Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n \n +-------------------+------------------+----------+-------------------+---------------------+--------------------------------+\n | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n +-------------------+------------------+----------+-------------------+---------------------+--------------------------- -----+\n | guzzlehttp/guzzle | CVE-2016-5385 | MEDIUM | 6.2.0 | 6.2.1, 4.2.4, 5.3.1 | PHP: sets environmental |\n | | | | | | variable based on user |\n | | | | | | supplied Proxy request header |\n +-------------------+------------------+----------+-------------------+---------------------+--------------------------------+\n \n node-app/package-lock.json\n ==========================\n Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 1, CRITICAL: 0)\n \n +---------+------------------+----------+-------------------+---------------+--------------------------------+\n | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n +---------+------------------+----------+-------------------+---------------+---------------- ----------------+\n | jquery | CVE-2019-5428 | MEDIUM | 3.3.9 | >=3.4.0 | Modification of |\n | | | | | | Assumed-Immutable Data (MAID) |\n + +------------------+ + + +--------------------------------+\n | | CVE-2019-11358 | | | | js-jquery: prototype pollution |\n | | | | | | in object's prototype leading |\n | | | | | | to denial of service or... |\n +---------+------------------+----------+-------------------+---------------+--------------------------------+\n | lodash | CVE-2018-16487 | HIGH | 4.17.4 | >=4.17.11 | lodash: Prototype pollution in |\n | | | | | | utilities function |\n + +------------------+----------+ +---------------+ +\n | | CVE-2018-3721 | MEDIUM | | >=4.17.5 | |\n | | | | | | |\n +---------+------------------+----------+-------------------+---------------+--------------------------------+\n \n python-app/Pipfile.lock\n =======================\n Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n \n +---------+------------------+----------+-------------------+---------------+------------------------------------+\n | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n +---------+------------------+----------+-------------------+---------------+------------------------------------+\n | django | CVE-2019-6975 | MEDIUM | 2.0.9 | 2.0.11 | python-django: |\n | | | | | | memory exhaustion in |\n | | | | | | django.utils.numberformat.format() |\n +---------+------------------+----------+-------------------+---------------+------------------------------------+\n\n \n \n** Scan an image file ** \n\n \n \n $ docker save ruby:2.3.0-alpine3.9 -o ruby-2.3.0.tar\n $ trivy --input ruby-2.3.0.tar\n\n \n \nResult \n\n \n \n 2019-05-16T12:45:57.332+0900 INFO Updating vulnerability database...\n 2019-05-16T12:45:59.119+0900 INFO Detecting Debian vulnerabilities...\n \n ruby-2.3.0.tar (debian 8.4)\n ===========================\n Total: 7447 (UNKNOWN: 5, LOW: 326, MEDIUM: 5695, HIGH: 1316, CRITICAL: 105)\n \n +------------------------------+---------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+\n | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n +------------------------------+---------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+\n | apt | CVE-2019-3462 | CRITICAL | 1.0.9.8.3 | 1.0.9.8.5 | Incorrect sanitation of the |\n | | | | | | 302 redirect field in HTTP |\n | | | | | | transport method of... |\n + +---------------------+----------+ +----------------------------------+-----------------------------------------------------+\n | | CVE-2016-1252 | MEDIUM | | 1.0.9.8.4 | The apt package in Debian |\n | | | | | | jessie before 1.0.9.8.4, in |\n | | | | | | Debian unstable before... |\n + +---------------------+----------+ +----------------------------------+-----------------------------------------------------+\n | | CVE-2011-3374 | LOW | | | |\n +------------------------------+---------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+\n | bash | CVE-2016-7543 | HIGH | 4.3-11 | 4.3-11+deb8u1 | bash: Specially crafted |\n | | | | | | SHELLOPTS+PS4 variables allows |\n | | | | | | command substitution |\n + +---------------------+ + +----------------------------------+-----------------------------------------------------+\n | | CVE-2019-9924 | | | 4.3-11+deb8u2 | bash: BASH_CMD is writable in |\n | | | | | | restricted bash shells |\n + +---------------------+----------+ +----------------------------------+-----------------------------------------------------+\n | | CVE-2016-0634 | MEDIUM | | 4.3-11+deb8u1 | bash: Arbitrary code execution |\n | | | | | | via malicious hostname |\n + +---------------------+----------+ +----------------------------------+-----------------------------------------------------+\n | | CVE-2016-9401 | LOW | | 4.3-11+deb8u2 | bash: popd controlled free |\n + +---------------------+ + +----------------------------------+--------------------- --------------------------------+\n | | TEMP-0841856-B18BAF | | | | |\n +------------------------------+---------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------\n ...\n\n \n \n** Save the results as JSON ** \n\n \n \n $ trivy -f json -o results.json golang:1.12-alpine\n\n \n \nResult \n\n \n \n 2019-05-16T01:46:31.777+0900 INFO Updating vulnerability database...\n 2019-05-16T01:47:03.007+0900 INFO Detecting Alpine vulnerabilities...\n\n \nJSON \n\n \n \n [\n {\n \"Target\": \"php-app/composer.lock\",\n \"Vulnerabilities\": null\n },\n {\n \"Target\": \"node-app/package-lock.json\",\n \"Vulnerabilities\": [\n {\n \"VulnerabilityID\": \"CVE-2018-16487\",\n \"PkgName\": \"lodash\",\n \"InstalledVersion\": \"4.17.4\",\n \"FixedVersion\": \"\\u003e=4.17.11\",\n \"Title\": \"lodash: Prototype pollution in utilities function\",\n \"Description\": \"A prototype pollution vulnerability was found in lodash \\u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.\",\n \"Severity\": \"HIGH\",\n \"References\": [\n \"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487\",\n ]\n }\n ]\n },\n {\n \"Target\": \"trivy-ci-test (alpine 3.7.1)\",\n \"Vulnerabilities\": [\n {\n \"VulnerabilityID\": \"CVE-2018-1 6840\",\n \"PkgName\": \"curl\",\n \"InstalledVersion\": \"7.61.0-r0\",\n \"FixedVersion\": \"7.61.1-r1\",\n \"Title\": \"curl: Use-after-free when closing \\\"easy\\\" handle in Curl_close()\",\n \"Description\": \"A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. \",\n \"Severity\": \"HIGH\",\n \"References\": [\n \"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16840\",\n ]\n },\n {\n \"VulnerabilityID\": \"CVE-2019-3822\",\n \"PkgName\": \"curl\",\n \"InstalledVersion\": \"7.61.0-r0\",\n \"FixedVersion\": \"7.61.1-r2\",\n \"Title\": \"curl: NTLMv2 type-3 header stack buffer overflow\",\n \"Description\": \"libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. \",\n \"Severity\": \"HIGH\",\n \"References\": [\n \"https:/ /curl.haxx.se/docs/CVE-2019-3822.html\",\n \"https://lists.apache.org/thread.html/[email\u00a0protected]%3Cdevnull.infra.apache.org%3E\"\n ]\n },\n {\n \"VulnerabilityID\": \"CVE-2018-16839\",\n \"PkgName\": \"curl\",\n \"InstalledVersion\": \"7.61.0-r0\",\n \"FixedVersion\": \"7.61.1-r1\",\n \"Title\": \"curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message()\",\n \"Description\": \"Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.\",\n \"Severity\": \"HIGH\",\n \"References\": [\n \"https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5\",\n ]\n },\n {\n \"VulnerabilityID\": \"CVE-2018-19486\",\n \"PkgName\": \"git\",\n \"InstalledVersion\": \"2.15.2-r0\",\n \"FixedVersion\": \"2.15.3-r0\",\n \"Title\": \"git: Improper handling of PATH allows for commands to be executed from the current directory\",\n \"Description\": \"Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.\",\n \"Severity\": \"HIGH\",\n \"References\": [\n \"https://usn.ubuntu.com/3829-1/\",\n ]\n },\n {\n \"VulnerabilityID\": \"CVE-2018-17456\",\n \"PkgName\": \"git\",\n \"InstalledVersion\": \"2.15.2-r0\",\n \"FixedVersion\": \"2.15.3-r0\",\n \"Title\": \"git: arbitrary code execution via .gitmodules\",\n \"Description\": \"Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows [remote code execution](<https://www.kitploit.com/search/label/Remote%20Code%20Execution> \"remote code execution\" ) during processing of a recursive \\\"git clone\\\" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.\",\n \"Severity\": \"HIGH\",\n \"References\": [\n \"http://www.securitytracker.com/id/1041811\",\n ]\n }\n ]\n },\n {\n \"Target\": \"python-app/Pipfile.lock\",\n \"Vulnerabilities\": null\n },\n {\n \"Target\": \"ruby-app/Gemfile.lock\",\n \"Vulnerabilities\": null\n },\n {\n \"Target\": \"rust-app/Cargo.lock\",\n \"Vulnerabilities\": null\n }\n ]\n\n \n \n** Filter the vulnerabilities by severities ** \n\n \n \n $ trivy --severity HIGH,CRITICAL ruby:2.3.0\n\n \n \nResult \n\n \n \n 2019-05-16T01:51:46.255+0900 INFO Updating vulnerability database...\n 2019-05-16T01:51:49.213+0900 INFO Detecting Debian vulnerabilities...\n \n ruby:2.3.0 (debian 8.4)\n =======================\n Total: 1785 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1680, CRITICAL: 105)\n \n +-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+\n | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n +-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+\n | apt | CVE-2019-3462 | CRITICAL | 1.0.9.8.3 | 1.0.9.8.5 | Incorrect sanitation of t he |\n | | | | | | 302 redirect field in HTTP |\n | | | | | | transport method of... |\n +-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+\n | bash | CVE-2019-9924 | HIGH | 4.3-11 | 4.3-11+deb8u2 | bash: BASH_CMD is writable in |\n | | | | | | restricted bash shells |\n + +------------------+ + +----------------------------------+-------------------------------------------------+\n | | CVE-2016-7543 | | | 4.3-11+deb8u1 | bash: Specially crafted |\n | | | | | | SHELLOPTS+PS4 variables allows |\n | | | | | | command substitution |\n +-----------------------------+------------------+ +---------------------------+----------------------------------+-------------------------------------------------+\n | binutils | CVE-2017-8421 | | 2.25-5 | | binutils: Memory exhaustion in |< br/>| | | | | | objdump via a crafted PE file |\n + +------------------+ + +----------------------------------+-------------------------------------------------+\n | | CVE-2017-14930 | | | | binutils: Memory leak in |\n | | | | | | decode_line_info |\n + +------------------+ + +----------------------------------+-------------------------------------------------+\n | | CVE-2017-7614 | | | | binutils: NULL |\n | | | | | | pointer dereference in |\n | | | | | | bfd_elf_final_link function |\n + +------------------+ + +----------------------------------+-------------------------------------------------+\n | | CVE-2014-9939 | | | | binutils: buffer overflow in |\n | | | | | | ihex.c |\n + +------------------+ + +----------------------------------+-------------------------------------------------+\n | | CVE-2017-13716 | | | | binutils: Memory leak with the |\n | | | | | | C++ symbol demangler routine |\n | | | | | | in libiberty |\n + +------------------+ + +----------------------------------+-------------------------------------------------+\n | | CVE-2018-12699 | | | | binutils: heap-based buffer |\n | | | | | | overflow in finish_stab in |\n | | | | | | stabs.c |\n +-----------------------------+------------------+ +---------------------------+----------------------------------+-------------------------------------------------+\n | bsdutils | CVE-2015-5224 | | 2.25.2-6 | | util-linux: File name |\n | | | | | | collision due to incorrect |\n | | | | | | mkstemp use |\n + +------------------+ + +----------------------------------+-------------------------------------------------+\n | | CVE-2016-2779 | | | | util-linux: runuser tty hijack |\n | | | | | | via TIOCSTI ioctl |\n +-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+\n\n \n \n** Filter the vulnerabilities by type ** \n\n \n \n $ trivy --vuln-type os ruby:2.3.0\n\nAvailable values: \n\n\n * library \n * os \n \nResult \n\n \n \n 2019-05-22T19:36:50.530+0200 [34mINFO[0m Updating vulnerability database...\n 2019-05-22T19:36:51.681+0200 [34mINFO[0m Detecting Alpine vulnerabilities...\n 2019-05-22T19:36:51.685+0200 [34mINFO[0m Updating npm Security DB...\n 2019-05-22T19:36:52.389+0200 [34mINFO[0m Detecting npm vulnerabilities...\n 2019-05-22T19:36:52.390+0200 [34mINFO[0m Updating pipenv Security DB...\n 2019-05-22T19:36:53.406+0200 [34mINFO[0m Detecting pipenv vulnerabilities...\n \n ruby:2.3.0 (debian 8.4)\n Total: 4751 (UNKNOWN: 1, LOW: 150, MEDIUM: 3504, HIGH: 1013, CRITICAL: 83)\n \n +---------+------------------+----------+-------------------+---------------+----------------------------------+\n | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n +---------+------------------+----------+-------------------+---------- -----+----------------------------------+\n | curl | CVE-2018-14618 | CRITICAL | 7.61.0-r0 | 7.61.1-r0 | curl: NTLM password overflow |\n | | | | | | via integer overflow |\n + +------------------+----------+ +---------------+----------------------------------+\n | | CVE-2018-16839 | HIGH | | 7.61.1-r1 | curl: Integer overflow leading |\n | | | | | | to heap-based buffer overflow in |\n | | | | | | Curl_sasl_create_plain_message() |\n + +------------------+ + +---------------+----------------------------------+\n | | CVE-2019-3822 | | | 7.61.1-r2 | curl: NTLMv2 type-3 header |\n | | | | | | stack buffer overflow |\n + +------------------+ + +---------------+----------------------------------+\n | | CVE-2018-16840 | | | 7.61.1-r1 | curl: Use-after-free when |\n | | | | | | closing \"easy\" handle in |\n | | | | | | Curl_close() |\n + +------------------+----------+ +---------------+----------------------------------+\n | | CVE-2019-3823 | MEDIUM | | 7.61.1-r2 | curl: SMTP end-of-response |\n | | | | | | out-of-bounds read |\n + +------------------+ + + +----------------------------------+\n | | CVE-2018-16890 | | | | curl: NTLM type-2 heap |\n | | | | | | out-of-bounds buffer read |\n + +------------------+ + +---------------+----------------------------------+\n | | CVE-2018-16842 | | | 7.61.1-r1 | curl: Heap-based buffer |\n | | | | | | over-read in the curl tool |\n | | | | | | warning formatting |\n +---------+------------------+----------+-------------------+---------------+----------------------------------+\n | git | CVE-2018-17456 | HIGH | 2.15.2-r0 | 2.15.3-r0 | git: arbitrary code execution |\n | | | | | | via .gitmodules |\n + +------------------+ + + +----------------------------------+\n | | CVE-2018-19486 | | | | git: Improper handling of |\n | | | | | | PATH allows for commands to be |\n | | | | | | executed from... |\n +---------+------------------+----------+-------------------+---------------+----------------------------------+\n | libssh2 | CVE-2019-3855 | CRITICAL | 1.8.0-r2 | 1.8.1-r0 | libssh2: Integer overflow in |\n | | | | | | transport read resulting in |\n | | | | | | out of bounds write... |\n + +------------------+----------+ + +----------------------------------+\n | | CVE-2019-3861 | MEDIUM | | | libssh2: Out-of-bounds reads |\n | | | | | | with specially crafted SSH |\n | | | | | | packets |\n + +------------------+ + + +----------------------------------+\n | | CVE-2019-3857 | | | | libssh2: Integer overflow in |\n | | | | | | SSH packet processing channel |\n | | | | | | resulting in out of... |\n + +-------------- ----+ + + +----------------------------------+\n | | CVE-2019-3856 | | | | libssh2: Integer overflow in |\n | | | | | | keyboard interactive handling |\n | | | | | | resulting in out of bounds... |\n + +------------------+ + + +----------------------------------+\n | | CVE-2019-3863 | | | | libssh2: Integer overflow |\n | | | | | | in user authenticate |\n | | | | | | keyboard interactive allows |\n | | | | | | out-of-b ounds writes |\n + +------------------+ + + +----------------------------------+\n | | CVE-2019-3862 | | | | libssh2: Out-of-bounds memory |\n | | | | | | comparison with specially |\n | | | | | | crafted message channel |\n | | | | | | request |\n + +------------------+ + + +----------------------------------+\n | | CVE-2019-3860 | | | | libssh2: Out-of-bounds reads |\n | | | | | | with specially crafted SFTP |\n | | | | | | packets |\n + +------------------+ + + +----------------------------------+\n | | CVE-2019-3858 | | | | libssh2: Zero-byte allocation |\n | | | | | | with a specially crafted SFTP |\n | | | | | | packed leading to an... |\n + +------------------+ + + +----------------------------------+\n | | CVE-2019-3859 | | | | libssh2: Unchecked use of |\n | | | | | | _libssh2_packet_require and |\n | | | | | | _libssh2_pack et_requirev |\n | | | | | | resulting in out-of-bounds |\n | | | | | | read |\n +---------+------------------+ +-------------------+---------------+----------------------------------+\n | libxml2 | CVE-2018-14404 | | 2.9.7-r0 | 2.9.8-r1 | libxml2: NULL pointer |\n | | | | | | dereference in |\n | | | | | | xpath.c:xmlXPathCompOpEval() |\n | | | | | | can allow attackers to cause |\n | | | | | | a... |\n + +------------------+ + + +----------------------------------+\n | | CVE-2018-14567 | | | | libxml2: Infinite loop when |\n | | | | | | --with-lzma is used allows for |\n | | | | | | denial of service... |\n + +------------------+----------+ + +----------------------------------+\n | | CVE-2018-9251 | LOW | | | libxml2: infinite loop in |\n | | | | | | xz_decomp function in xzlib.c |\n +---------+------------------+----------+-------------------+---------------+----------------------------------+\n | openssh | CVE-2019-6109 | MEDIUM | 7.5_p1-r9 | 7.5_p1-r10 | openssh: Missing c haracter |\n | | | | | | encoding in progress display |\n | | | | | | allows for spoofing of scp... |\n + +------------------+ + + +----------------------------------+\n | | CVE-2019-6111 | | | | openssh: Improper validation |\n | | | | | | of object names allows |\n | | | | | | malicious server to overwrite |\n | | | | | | files... |\n + +------------------+----------+ + +----------------------------------+\n | | CVE-2018-20685 | LOW | | | openssh: scp client improper |\n | | | | | | directory name validation |\n +---------+------------------+----------+-------------------+---------------+----------------------------------+\n | sqlite | CVE-2018-20346 | MEDIUM | 3.21.0-r1 | 3.25.3-r0 | CVE-2018-20505 CVE-2018-20506 |\n | | | | | | sqlite: Multiple flaws in |\n | | | | | | sqlite which can be triggered |\n | | | | | | via... |\n +---------+------------------+----------+-------------------+---------------+----------------------------------+\n | tar | CVE-2018-20482 | LOW | 1.29-r1 | 1.31-r0 | tar: Infinite read loop in |\n | | | | | | sparse_dump_region function in |\n | | | | | | sparse.c |\n +---------+------------------+----------+-------------------+---------------+----------------------------------+\n\n \n** Skip update of vulnerability DB ** \n` Trivy ` always updates its vulnerability database when it starts operating. This is usually fast, as it is a difference update. But if you want to skip even that, use the ` --skip-update ` option. \n\n \n \n $ trivy --skip-update python:3.4-alpine3.9\n\n \n \nResult \n\n \n \n 2019-05-16T12:48:08.703+0900 INFO Detecting Alpine vulnerabilities...\n \n python:3.4-alpine3.9 (alpine 3.9.2)\n ===================================\n Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n \n +---------+------------------+----------+-------------------+---------------+--------------------------------+\n | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n +---------+------------------+----------+-------------------+---------------+--------------------------------+\n | openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |\n | | | | | | with long nonces |\n +---------+------------------+----------+-------------------+---------------+--------------------------------+\n\n \n \n** Update only specified distributions ** \nBy default, ` Trivy ` always updates its vulnerability database for all distributions. Use the ` --only-update ` option if you want to name specified distributions to update. \n\n \n \n $ trivy --only-update alpine,debian python:3.4-alpine3.9\n $ trivy --only-update alpine python:3.4-alpine3.9\n\n \n \nResult \n\n \n \n 2019-05-21T19:37:06.301+0900 INFO Updating vulnerability database...\n 2019-05-21T19:37:07.793+0900 INFO Updating alpine data...\n 2019-05-21T19:37:08.127+0900 INFO Detecting Alpine vulnerabilities...\n \n python:3.4-alpine3.9 (alpine 3.9.2)\n ===================================\n Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n \n +---------+------------------+----------+-------------------+---------------+--------------------------------+\n | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n +---------+------------------+----------+-------------------+---------------+--------------------------------+\n | openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |\n | | | | | | with long nonces |\n +---------+----------------- -+----------+-------------------+---------------+--------------------------------+\n\n \n \n** Ignore unfixed vulnerabilities ** \nBy default, ` Trivy ` also detects unpatched/unfixed vulnerabilities. This means you can't fix these vulnerabilities even if you update all packages. If you would like to ignore them, use the ` --ignore-unfixed ` option. \n\n \n \n $ trivy --ignore-unfixed ruby:2.3.0\n\n \n \nResult \n\n \n \n 2019-05-16T12:49:52.656+0900 INFO Updating vulnerability database...\n 2019-05-16T12:50:14.786+0900 INFO Detecting Debian vulnerabilities...\n \n ruby:2.3.0 (debian 8.4)\n =======================\n Total: 4730 (UNKNOWN: 1, LOW: 145, MEDIUM: 3487, HIGH: 1014, CRITICAL: 83)\n \n +------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+\n | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n +------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+\n | apt | CVE-2019-3462 | CRITICAL | 1.0.9.8.3 | 1.0.9.8.5 | I ncorrect sanitation of the |\n | | | | | | 302 redirect field in HTTP |\n | | | | | | transport method of... |\n + +------------------+----------+ +----------------------------------+-----------------------------------------------------+\n | | CVE-2016-1252 | MEDIUM | | 1.0.9.8.4 | The apt package in Debian |\n | | | | | | jessie before 1.0.9.8.4, in |\n | | | | | | Debian unstable before... |\n +------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+\n | bash | CVE-2019-9924 | HIGH | 4.3-11 | 4.3-11+deb8u2 | bash: BASH_CMD is writable in |\n | | | | | | restricted bash shells |\n + +------------------+ + +----------------------------------+-----------------------------------------------------+\n | | CVE-2016-7543 | | | 4.3-11+deb8u1 | bash: Specially crafted |\n | | | | | | SHELLOPTS+PS4 variables allows |\n | | | | | | command substitution |\n + +------------------+----------+ + +-----------------------------------------------------+\n | | CVE-2016-0634 | MEDIUM | | | bash: Arbitrary code execution |\n | | | | | | via malicious hostname |\n + +------------------+----------+ +----------------------------------+-----------------------------------------------------+\n | | CVE-2016-9401 | LOW | | 4.3-11+deb8u2 | bash: popd controlled free |\n +------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+\n ...\n\n \n \n** Specify exit code ** \nBy default, ` Trivy ` exits with code 0 even when vulnerabilities are detected. Use the ` --exit-code ` option if you want to exit with a non-zero exit code. \n\n \n \n $ trivy --exit-code 1 python:3.4-alpine3.9\n\n \n \nResult \n\n \n \n 2019-05-16T12:51:43.500+0900 INFO Updating vulnerability database...\n 2019-05-16T12:52:00.387+0900 INFO Detecting Alpine vulnerabilities...\n \n python:3.4-alpine3.9 (alpine 3.9.2)\n ===================================\n Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n \n +---------+------------------+----------+-------------------+---------------+--------------------------------+\n | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n +---------+------------------+----------+-------------------+---------------+--------------------------------+\n | openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |\n | | | | | | with long nonces |\n +---------+------------------+----------+-------------------+---------------+------------------- -------------+\n\n \n \nThis option is useful for CI/CD. In the following example, the test will fail only when a critical vulnerability is found. \n\n \n \n $ trivy --exit-code 0 --severity MEDIUM,HIGH ruby:2.3.0\n $ trivy --exit-code 1 --severity CRITICAL ruby:2.3.0\n\n \n** Ignore the specified vulnerabilities ** \nUse ` .trivyignore ` . \n\n \n \n $ cat .trivyignore\n # Accept the risk\n CVE-2018-14618\n \n # No impact in our settings\n CVE-2019-1543\n \n $ trivy python:3.4-alpine3.9\n\n \n \nResult \n\n \n \n 2019-05-16T12:53:10.076+0900 INFO Updating vulnerability database...\n 2019-05-16T12:53:28.134+0900 INFO Detecting Alpine vulnerabilities...\n \n python:3.4-alpine3.9 (alpine 3.9.2)\n ===================================\n Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n \n\n \n \n** Specify cache directory ** \n\n \n \n $ trivy --cache-dir /tmp/trivy/ python:3.4-alpine3.9\n\n \n** Clear image caches ** \nThe ` --clear-cache ` option removes image caches. This option is useful if the image which has the same tag is updated (such as when using ` latest ` tag). \n\n \n \n $ trivy --clear-cache python:3.7\n\n \n \nResult \n\n \n \n 2019-05-16T12:55:24.749+0900 INFO Removing image caches...\n 2019-05-16T12:55:24.769+0900 INFO Updating vulnerability database...\n 2019-05-16T12:56:14.055+0900 INFO Detecting Debian vulnerabilities...\n \n python:3.7 (debian 9.9)\n =======================\n Total: 3076 (UNKNOWN: 0, LOW: 127, MEDIUM: 2358, HIGH: 578, CRITICAL: 13)\n \n +------------------------------+---------------------+----------+--------------------------+------------------+-------------------------------------------------------+\n | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |\n +------------------------------+---------------------+----------+--------------------------+------------------+-------------------------------------------------------+\n | apt | CVE-2011-3374 | LOW | 1.4.9 | | |\n +------------------------------+---------------------+ +--------------------------+------------------+-------------------------------------------------------+\n | bash | TEMP-0841856-B18BAF | | 4.4-5 | | |\n +------------------------------+---------------------+----------+--------------------------+------------------+-------------------------------------------------------+\n ...\n\n \n \n** Reset ** \nThe ` --reset ` option removes all caches and database. After this, it takes a long time as the vulnerability database needs to be rebuilt locally. \n\n \n \n $ trivy --reset\n\n \n \nResult \n\n \n \n 2019-05-16T13:05:31.935+0900 INFO Resetting...\n\n \n \n** Continuous Integration (CI) ** \nScan your image built in Travis CI/CircleCI. The test will fail if a vulnerability is found. When you don't want to fail the test, specify ` --exit-code 0 ` . \n** Note ** : It will take a while for the first time (faster by cache after the second time). \n \n** Travis CI ** \n\n \n \n $ cat .travis.yml\n services:\n - docker\n \n env:\n global:\n - COMMIT=${TRAVIS_COMMIT::8}\n \n before_install:\n - docker build -t trivy-ci-test:${COMMIT} .\n - export VERSION=$(curl --silent \"https://api.github.com/repos/aquasecurity/trivy/releases/latest\" | grep '\"tag_name\":' | sed -E 's/.*\"v([^\"]+)\".*/\\1/')\n - wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz\n - tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz\n script:\n - ./trivy --exit-code 0 --severity HIGH --no-progress --auto-refresh trivy-ci-test:${COMMIT}\n - ./trivy --exit-code 1 --severity CRITICAL --no-progress --auto-refresh trivy-ci-test:${COMMIT}\n cache:\n directories:\n - $HOME/.cache/trivy\n\nExample: [ https://travis-ci.org/aquasecurity/trivy-ci-test ](<https://travis-ci.org/aquasecurity/trivy-ci-test> \"https://travis-ci.org/aquasecurity/trivy-ci-test\" ) \nRepository: [ https://github.com/aquasecurity/trivy-ci-test ](<https://github.com/aquasecurity/trivy-ci-test> \"https://github.com/aquasecurity/trivy-ci-test\" ) \n \n** CircleCI ** \n\n \n \n $ cat .circleci/config.yml\n jobs:\n build:\n docker:\n - image: docker:18.09-git\n steps:\n - checkout\n - setup_remote_docker\n - restore_cache:\n key: vulnerability-db\n - run:\n name: Build image\n command: docker build -t trivy-ci-test:${CIRCLE_SHA1} .\n - run:\n name: Install trivy\n command: |\n apk add --update curl\n VERSION=$(\n curl --silent \"https://api.github.com/repos/aquasecurity/trivy/releases/latest\" | \\\n grep '\"tag_name\":' | \\\n sed -E 's/.*\"v([^\"]+)\".*/\\1/'\n )\n \n wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz\n tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz\n mv trivy /usr/local/bin\n - run:\n name: Scan the lo cal image with trivy\n command: trivy --exit-code 0 --no-progress --auto-refresh trivy-ci-test:${CIRCLE_SHA1}\n - save_cache:\n key: vulnerability-db\n paths:\n - $HOME/.cache/trivy\n workflows:\n version: 2\n release:\n jobs:\n - build\n\nExample: [ https://circleci.com/gh/aquasecurity/trivy-ci-test ](<https://circleci.com/gh/aquasecurity/trivy-ci-test> \"https://circleci.com/gh/aquasecurity/trivy-ci-test\" ) \nRepository: [ https://github.com/aquasecurity/trivy-ci-test ](<https://github.com/aquasecurity/trivy-ci-test> \"https://github.com/aquasecurity/trivy-ci-test\" ) \n \n** Authorization for Private Docker Registry ** \nTrivy can download images from private registry, without installing ` Docker ` and any 3rd party tools. That's because it's easy to run in a CI process. \nAll you have to do is install ` Trivy ` and set ENV vars. But, I can't recommend using ENV vars in your local machine to you. \n \n** Docker Hub ** \nDocker Hub needs ` TRIVY_AUTH_URL ` , ` TRIVY_USERNAME ` and ` TRIVY_PASSWORD ` . You don't need to set ENV vars when download from public repository. \n\n \n \n export TRIVY_AUTH_URL=https://registry.hub.docker.com\n export TRIVY_USERNAME={DOCKERHUB_USERNAME}\n export TRIVY_PASSWORD={DOCKERHUB_PASSWORD}\n\n \n** Amazon ECR (Elastic Container Registry) ** \nTrivy uses AWS SDK. You don't need to install ` aws ` CLI tool. You can use [ AWS CLI's ENV Vars ](<https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html> \"AWS CLI's ENV Vars\" ) . \n \n** GCR (Google Container Registry) ** \nTrivy uses Google Cloud SDK. You don't need to install ` gcloud ` command. \nIf you want to use target project's repository, you can settle via ` GOOGLE_APPLICATION_CREDENTIAL ` . \n\n \n \n # must set TRIVY_USERNAME empty char\n export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json\n\n \n** Self Hosted Registry (BasicAuth) ** \nBasicAuth server needs ` TRIVY_USERNAME ` and ` TRIVY_PASSWORD ` . \n\n \n \n export TRIVY_USERNAME={USERNAME}\n export TRIVY_PASSWORD={PASSWORD}\n \n # if you want to use 80 port, use NonSSL\n export TRIVY_NON_SSL=true\n\n \n** Vulnerability Detection ** \n \n** OS Packages ** \nThe unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution. \nOS | Supported Versions | Target Packages | Detection of unfixed vulnerabilities \n---|---|---|--- \nAlpine Linux | 2.2 - 2.7, 3.0 - 3.10 | Installed by apk | NO \nRed Hat Universal Base Image | 7, 8 | Installed by yum/rpm | YES \nRed Hat Enterprise Linux | 6, 7, 8 | Installed by yum/rpm | YES \nCentOS | 6, 7 | Installed by yum/rpm | YES \nDebian GNU/Linux | wheezy, jessie, stretch, buster | Installed by apt/apt-get/dpkg | YES \nUbuntu | 12.04, 14.04, 16.04, 18.04, 18.10, 19.04 | Installed by apt/apt-get/dpkg | YES \nRHEL and CentOS package information is stored in a binary format, and Trivy uses the ` rpm ` executable to parse this information when scanning an image based on RHEL or CentOS. The Trivy container image includes ` rpm ` , and the installers include it as a dependency. If you installed the ` trivy ` binary using ` wget ` or ` curl ` , or if you build it from source, you will also need to ensure that ` rpm ` is available. \n \n** Application Dependencies ** \n` Trivy ` automatically detects the following files in the container and scans vulnerabilities in the application dependencies. \n\n\n * Gemfile.lock \n * Pipfile.lock \n * poetry.lock \n * composer.lock \n * package-lock.json \n * yarn.lock \n * Cargo.lock \nThe path of these files does not matter. \nExample: [ https://github.com/aquasecurity/trivy-ci-test/blob/master/Dockerfile ](<https://github.com/aquasecurity/trivy-ci-test/blob/master/Dockerfile> \"https://github.com/aquasecurity/trivy-ci-test/blob/master/Dockerfile\" ) \n \n** Data source ** \n\n\n * PHP \n * [ https://github.com/FriendsOfPHP/security-advisories ](<https://github.com/FriendsOfPHP/security-advisories> \"https://github.com/FriendsOfPHP/security-advisories\" )\n * Python \n * [ https://github.com/pyupio/safety-db ](<https://github.com/pyupio/safety-db> \"https://github.com/pyupio/safety-db\" )\n * Ruby \n * [ https://github.com/rubysec/ruby-advisory-db ](<https://github.com/rubysec/ruby-advisory-db> \"https://github.com/rubysec/ruby-advisory-db\" )\n * Node.js \n * [ https://github.com/nodejs/security-wg ](<https://github.com/nodejs/security-wg> \"https://github.com/nodejs/security-wg\" )\n * Rust \n * [ https://github.com/RustSec/advisory-db ](<https://github.com/RustSec/advisory-db> \"https://github.com/RustSec/advisory-db\" )\n \n** Usage ** \n\n \n \n NAME:\n trivy - A simple and comprehensive vulnerability scanner for containers\n USAGE:\n trivy [options] image_name\n VERSION:\n 0.1.6\n OPTIONS:\n --format value, -f value format (table, json) (default: \"table\")\n --input value, -i value input file path instead of image name\n --severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: \"UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL\")\n --output value, -o value output file name\n --exit-code value Exit code when vulnerabilities were found (default: 0)\n --skip-update skip db update\n --only-update value update db only specified distribution (comma separated)\n --reset remove all caches and database\n --clear-cache, -c clear image caches\n --quiet, -q suppress progress bar and log output\n --no-progress suppress progress bar\n - -ignore-unfixed display only fixed vulnerabilities\n --refresh refresh DB (usually used after version update of trivy)\n --auto-refresh refresh DB automatically when updating version of trivy\n --debug, -d debug mode\n --vuln-type value comma-separated list of vulnerability types (os,library) (default: \"os,library\")\n --cache-dir value cache directory (default: \"/path/to/cache\")\n --help, -h show help\n --version, -v print the version\n\n \n \n** Migration ** \nOn 19 August 2019, Trivy's repositories moved from ` knqyf263/trivy ` to ` aquasecurity/trivy ` . If you previously installed Trivy you should update any scripts or package manager records as described in this section. \n \n** Overview ** \nIf you have a script that installs Trivy (for example into your CI pipelines) you should update it to obtain it from the new location by replacing knqyf263/trivy with aquasecurity/trivy. \nFor example: \n\n \n \n # Before\n $ wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz\n \n # After\n $ wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz\n\n \n** CentOS/RedHat ** \nUse [ https://aquasecurity.github.io ](<https://aquasecurity.github.io/> \"https://aquasecurity.github.io\" ) instead of [ https://knqyf263.github.io ](<https://knqyf263.github.io/> \"https://knqyf263.github.io\" ) . \n\n \n \n $ yum remove trivy\n $ sed -i s/knqyf263/aquasecurity/g /etc/yum.repos.d/trivy.repo\n $ yum update\n $ yum install trivy\n\n \n** Debian/Ubuntu ** \nUse [ https://aquasecurity.github.io ](<https://aquasecurity.github.io/> \"https://aquasecurity.github.io\" ) instead of [ https://knqyf263.github.io ](<https://knqyf263.github.io/> \"https://knqyf263.github.io\" ) . \n\n \n \n $ apt-get remove --purge trivy\n $ sed -i s/knqyf263/aquasecurity/g /etc/apt/sources.list.d/trivy.list\n $ apt-get update\n $ apt-get install trivy\n\n \n** Homebrew ** \nTap aquasecurity/trivy \n\n \n \n $ brew uninstall --force trivy\n $ brew untap knqyf263/trivy\n $ brew install aquasecurity/trivy/trivy\n\n \n** Binary (Including Windows) ** \nNo need to fix. \n \n** Others ** \n \n** Detected version update of trivy. Please try again with --refresh option ** \nTry again with ` --refresh ` option: \n\n \n \n $ trivy --refresh alpine:3.9\n\n \n** Unknown error ** \nTry again with ` --reset ` option: \n\n \n \n $ trivy --reset\n\n \n** Credits ** \n\n\n * Special thanks to [ Tomoya Amachi ](<https://github.com/tomoyamachi> \"Tomoya Amachi\" )\n * Special thanks to [ Masahiro Fujimura ](<https://github.com/masahiro331> \"Masahiro Fujimura\" )\n * Special thanks to [ Naoki Harima ](<https://github.com/XapiMa> \"Naoki Harima\" )\n \n** Author ** \nTeppei Fukuda (knqyf263) \n \n \n\n\n** [ Download Trivy ](<https://github.com/aquasecurity/trivy> \"Download Trivy\" ) **\n", "edition": 212, "modified": "2019-11-05T12:00:00", "published": "2019-11-05T12:00:00", "id": "KITPLOIT:7323577050718865961", "href": "http://www.kitploit.com/2019/11/trivy-simple-and-comprehensive.html", "title": "Trivy - A Simple And Comprehensive Vulnerability Scanner For Containers, Suitable For CI", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
