CVE-2019-3462: Content injection in APT http method when using redirects

re. https://security-tracker.debian.org/tracker/CVE-2019-3462: Content injection in APT http method when using redirects:

<     lamby> Do we need to do anything re. CVE-2019-3462?
[…]
< intrigeri> lamby: glad you're asking wrt. the APT vuln. I think there are 3 aspects:
< intrigeri> 1. Tails runtime: we're as good as we can be: we're only using Onion services in APT sources
< intrigeri> 2. build system: there's probably a time in the process where current basebox uses an outdated APT. could make sense to force a basebox refresh so debootstrap picks the right version straight from Stretch 9.7, without depending on a follow-up upgrade to fix it.
< intrigeri> 3. infra: groente is on it and bertagaz is on duty, I'll let them handle it :)
< intrigeri> => action item for (2): confirm we have a problem (looks like it, a build from yesterday started with 1.4.8 and then upgraded to 1.4.9); then file a ticket + prepare a PR that forces a basebox build from scratch. a dummy commit under vagrant/ would do. surely there's a typo to fix or a comment to add :)
< intrigeri> lamby: makes sense? do you want to take it
<     lamby> intrigeri: sure

Feature Branch: lamby/bugfix/16386-force-basebox-regeneration

Attachments

0001-Dummy-commit-to-force-regeneration-of-basebox-for-CV.patch

Related issues

Blocks #15507 (closed)

Original created by @lamby on 16386 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information