[Whonix-devel] not getting compromised while applying apt-get upgrade for CVE-2016-1252

Patrick Schleizer adrelanos at riseup.net
Tue Dec 20 00:26:00 CET 2016

What about Debian graphical installer security?

Isn't that in meanwhile the ideal target for exploitation for targeted
attacks? Because it will take a while until the Debian point release
with fixed apt.

And during the gui installer, the output of apt-get is not visible. And
stuff during installer taking a long time is something users have been
trained to expect. So I don't think it would raise much suspicion. If
exploitation works, fine, if not, nothing was lost.

Also Debian gui installer may be distinguishable over the network from
already installed systems? Because first it's using debootstrap (perhaps
with special options), then apt-get. The timing or something else could
make it distinguishable over the network.

Best regards,

More information about the Whonix-devel mailing list