CVE-2019-3462 Remote Code Execution in apt

A vulnerability was discovered in apt.

For full information on the vulnerability itself, please utilize the following resources:

https://justi.cz/security/2019/01/22/apt-rce.html
https://usn.ubuntu.com/3863-1/
https://lists.debian.org/debian-security-announce/2019/msg00010.html

We have made a change to our convenience images to always pull the latest version of apt to directly address this vulnerability. At the time of writing this the upstream images from which we base our convenience images have not yet pulled in the patched version of apt.

PR https://github.com/circleci/circleci-images/pull/328/files
Workflow https://circleci.com/workflow-run/e92ac122-6773-4492-b695-d49778731695

In addition to our convenience images we are pushing an update to our machine executor to update apt there, as well.

Thank you for your patience while we roll out the fixes across all our images and VMs.

EDIT: All our convenience images have finished publishing and our machine executor will have the latest version of apt when your job begins. Thank you again for your patience while we deployed the patches.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.