I’ve been gladly pointed to very bad security issue.
Very short summary of the bug:
(my own words) During apt-get upgrading signature verification can be
tricked resulting in arbitrary package installation, system
compromise.
sources:
- https://security-tracker.debian.org/tracker/CVE-2016-1252
- https://www.debian.org/security/2016/dsa-3733
- https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467
- https://lists.debian.org/debian-security-announce/2016/msg00316.html
(Specifically dangerous when upgrading over Tor. Slightly less
dangerous when upgrading over onions mirrors [boils down to trust, i.e.
IF the onion mirror is not compromised by that time].)
The following bug report is for Qubes Debian, Whonix and Ubuntu templates, however it equally applies to Non-Qubes-Whonix. It’s a bug in Debian’s apt-get so all distributions are equally affected.
I guess Marek (Qubes lead developer) will soon reply to it. That will be great as confirmation if I am overexaggerating this or if it is as serious as I think. However, I am quite certain this is a serious security issue.
TODO:
- A Whonix.org blog post to recommend holding with upgrading VMs until/if a workaround has been figured out?
- Figure out a workaround to upgrade without getting compromised.
- Release Whonix 13.0.0.1.2 downloadable VM images - probably no changes besides building the images with upgraded packages from Debian.