I’ve been gladly pointed to very bad security issue.
Very short summary of the bug:
(my own words) During apt-get upgrading signature verification can be
tricked resulting in arbitrary package installation, system
(Specifically dangerous when upgrading over Tor. Slightly less
dangerous when upgrading over onions mirrors [boils down to trust, i.e.
IF the onion mirror is not compromised by that time].)
The following bug report is for Qubes Debian, Whonix and Ubuntu templates, however it equally applies to Non-Qubes-Whonix. It’s a bug in Debian’s apt-get so all distributions are equally affected.
I guess Marek (Qubes lead developer) will soon reply to it. That will be great as confirmation if I am overexaggerating this or if it is as serious as I think. However, I am quite certain this is a serious security issue.
- A Whonix.org blog post to recommend holding with upgrading VMs until/if a workaround has been figured out?
- Figure out a workaround to upgrade without getting compromised.
- Release Whonix 220.127.116.11.2 downloadable VM images - probably no changes besides building the images with upgraded packages from Debian.