New chapter Vulnerabilities at Install Time in Advanced Security Guide



Latest stable releases sometimes contain vulnerable, remotely exploitable applications that are very likely to be used over untrusted networks that are in a position to run man-in-the-middle attacks.

A new chapter “Vulnerabilities at Install Time” has been added to the Advanced Security Guide that discusses this issue in detail.

Please help research and document sane and effective solutions.



Thanks to Jason Ayala for revising that chapter!


  • That bug looks ugly, almost as bad as Heartbleed for us. Please give me what commands I can use to build apt from source to mitigate [DSA 3031-1] apt security update

A terrible idea IMHO, now we are extending the trusted computing base to include more (apt components) on the gateway. Increasing any access to the workstation is a bad idea in general whether that access is configurable or not.

Sounds better on paper, but I doubt most inexperienced users would know how or go thru the process. It would be encouraging if there is an example tutorial to be written up for it and should be recommended only for critical packages. A whonix-news event concerning this would link to the tutorial and recommended that packages be downloaded some other way outside pt itself, using TBB for example.

Always Up to Date Builds
The best option and is what most major distros do. Testing is not that critical if all that is done is updating the concerned packages based on the last releasd stable build. Whonix-news would simply recommend to download the latest point release.

What are the critical packages?
(only ones on gateway)
-Tor and any related component that communicates with the network.
(the last two don’t apply if user disabled their components. whonix development is moving in the direction of hardening components that communicate with the network and using pinned websites)

Notifying Users:
-Use Whonix-News as a way to notify users if any of the critical packages have had a serious security hole discovered in them between the time they dowloaded and initial runtime. It should tell them to download an updated version of whonix immediately.


Testing is important. Otherwise something really bad could happen.

I for one won’t have time for this. If I am going to provide extra secure instructions for upgrading each time there is a critical vulnerability, I don’t get to work on anything else anymore. However, I am working on Whonix 9.1 maintenance release, that will include that fix, which will soon be released as testers-only, and after a short testing period as new stable.

I for one won't have time for this. If I am going to provide extra secure instructions for upgrading each time there is a critical vulnerability, I don't get to work on anything else anymore.

hopefully this isn’t a frequent thing. The last time this happened was in April. But fair enough. I will wait for 9.1. Does the fact that apt runs at all expose the gateway? or only when packages are downloaded?


I am not so sure. But even evaluating every CVE takes more time than available to me.

By the way, I am not saying don’t feel free to discuss the upgrading apt from source and stuff at the appropriate places. So if you ask “could someone do this”, this is more than fine. Just if you ask me directly, I must decline. It’s just a personal time constraint of mine. I also can’t follow up all the Qubes developments anymore. Whonix uses are growing. At some point it will be like one Debian maintainer to keep up with everything Debian does. Perhaps other places are suited for this (unix.stackexchange.com, many other Linux forums and mailing lists). Maybe a community around this builds up here some day. This “compile from source then” thing seems to be more in the sphere of arch linux or hardened gentoo though. You need a much bigger community of people knowing how to document this and having time to guide users through such complex processes. If I was to attempt to support this at this point, it would miserably fail.

The vulnerable apt-get version is vulnerable when it connect to outside targets. A simple, local “sudo apt-get -h” probably not.