On 12/14/2016 09:06 AM, Georgi Guninski wrote:

Debian/Ubuntu security apt phun

https://www.ubuntu.com/usn/usn-3156-1/
13th December, 2016
An attacker could trick APT into installing altered packages. 

https://www.debian.org/security/2016/dsa-3733
can take advantage of this flaw to circumvent the signature of the InRelease file, leading to arbitrary code execution.

Likely besides the nsa, others enjoyed this too (have seen multi user 
debian mirror with world writable stuff at /etc)

And how do you update apt if it is broken? ;)

Download the .deb package and install. Assuming ofc apt IS installable from a .deb file...IDK.

Rr