[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

special instructions required to securely update because of apt security update [DSA 4371-1]

important-news

#1

Follow these instructions:
https://www.whonix.org/wiki/Operating_System_Software_and_Updates#apt_security_update_-_DSA_4371-1

Not required for Whonix 14.0.1.3.8 (currently testers-only version) or above.


Whonix VirtualBox 14.0.1.3.8 - Point Release
Qubes-Whonix 14 (4.0.1-201901231238) TemplateVMs Point Release for Qubes R4
Qubes-Whonix 14 (4.0.1-201901231238) TemplateVMs Point Release for Qubes R4 -- Testers Wanted!
[FIXED] Building Whonix from source code is NOT safe at the moment due to APT vulnerability DSA 4371-1
Whonix VirtualBox 14.0.1.3.8 - Point Release - Testers Wanted!
#2

Sorry guys but I’m a bit confused by this.
Before I saw this announcement, earlier today, I upgraded my qubes whonix templates.
Now I run dpkg -l | grep “commandline package manager”. and get reply: ii apt 1.4.9 amd64 commandline package manager.
Does this mean all is well? OR do I need to do something?


#3

Naive question: how do we mere mortal end users check that our Whonix installs weren’t already rooted by NSA using this apt vulnerability?


#4

Means you probably made the upgrade without the special instructions and the system might have been compromised during the upgrade.

If you want have higher certainty you’d have to apply disaster recovery steps but we don’t have that documented yet.

Document recovery procedure after compromise

You don’t.

https://www.whonix.org/wiki/FAQ#Does_Whonix_.2F_Tor_Provide_Protection_from_Advanced_Adversaries.3F


#5

proposal for package manager update security on/off switch to be prepared for the next APT security vulnerablity:
https://groups.google.com/forum/#!msg/qubes-devel/030ikOTKsgo/aobQPdYXFgAJ


#7

hello.
During this apt related instruction,is it ok to select N?

Configuration file ‘/etc/apt/sources.list.d/debian.list’
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer’s version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** debian.list (Y/I/N/O/D/Z) [default=N] ?


#8

File provided by Whonix.

https://github.com/Whonix/anon-apt-sources-list/blob/master/etc/apt/sources.list.d/debian.list

Installation is safe. Installation will revert user modification of /etc/apt/sources.list.d/debian.list. These could be re-applied.

Related to:

See also: