On 12/14/2016 09:06 AM, Georgi Guninski wrote:

Debian/Ubuntu security apt phun

[1]https://www.ubuntu.com/usn/usn-3156-1/
13th December, 2016
An attacker could trick APT into installing altered packages.

[2]https://www.debian.org/security/2016/dsa-3733
can take advantage of this flaw to circumvent the signature of the InRelease fil
e, leading to arbitrary code execution.

Likely besides the nsa, others enjoyed this too (have seen multi user
debian mirror with world writable stuff at /etc)

And how do you update apt if it is broken? ;)

   Download the .deb package and install. Assuming ofc apt IS installable
   from a .deb file...IDK.
   Rr

References

   1. https://www.ubuntu.com/usn/usn-3156-1/
   2. https://www.debian.org/security/2016/dsa-3733