Jump to: navigation, search

Deprecated/CVE-2016-1252



Debian amd64 / Qubes Debian templates / Qubes-Whonix[edit]

If you apt version is 1.0.9.8.3 or lower, you should upgrade using the following method. If you are already using apt version 1.0.9.8.4 or higher, you can just do a regular upgrade.

To find our your current apt version.

dpkg-query --show apt

Should show something like this.

apt 1.0.9.8.3

Create a temporary folder.

mkdir ~/temp-apt-bug

Change directory into the temporary folder.

cd ~/temp-apt-bug

Update your package lists.

sudo apt-get update

Download apt.

apt-get download apt apt-transport-https apt-utils libapt-inst1.5 libapt-pkg4.12

You should see something like this.

Get:1 http://security.debian.org/ jessie/updates/main apt amd64 1.0.9.8.4

It's important that the version number is 1.0.9.8.4 or higher. (However, a higher version number will result in the following checksum comparison to fail. Then we need to update this page.)

Find out the sha256 checksum of the apt package you just downloaded.

sha256sum *.deb

Should show.

f40e51afbbcf2b1e23442c4c3df064a02ddc27bdfbfb155839577dcb1dedb74a  apt_1.0.9.8.4_amd64.deb
c665c08b8804a557fe7b5616745e3d91831df1ebbf0317bb2bba977d208ac17d  apt-transport-https_1.0.9.8.4_amd64.deb
08c1d6dfb12762ce9e4e22309fef587505fb12eeef63764effae2f4821f97536  apt-utils_1.0.9.8.4_amd64.deb
b44e0b1016b10a4a1cb00f30e4fbe2ec3cc99b255047676d06ee97c0478877a0  libapt-inst1.5_1.0.9.8.4_amd64.deb
539eb5867dcb86a67b8ca82d61ce0e0d8c07e2d95f5ce3ceb7fd3ef981fe54e5  libapt-pkg4.12_1.0.9.8.4_amd64.deb

That checksums are matching

but it could therefore only be verified using https, not gpg.

Install the manually verified packages.

sudo dpkg -i *.deb

After that you should proceed with a system upgrade as usual.

If you wish you can delete the temporary folder ~/temp-apt-bug.

forum discussion:


Debian i386 / Non-Qubes-Whonix[edit]

If you apt version is 1.0.9.8.3 or lower, you should upgrade using the following method. If you are already using apt version 1.0.9.8.4 or higher, you can just do a regular upgrade.

To find our your current apt version.

dpkg-query --show apt

Should show something like this.

apt 1.0.9.8.3

Create a temporary folder.

mkdir ~/temp-apt-bug

Change directory into the temporary folder.

cd ~/temp-apt-bug

Update your package lists.

sudo apt-get update

Download apt.

apt-get download apt apt-transport-https apt-utils libapt-inst1.5 libapt-pkg4.12

You should see something like this.

Get:1 http://security.debian.org/ jessie/updates/main apt i386 1.0.9.8.4

It's important that the version number is 1.0.9.8.4 or higher. (However, a higher version number will result in the following checksum comparison to fail. Then we need to update this page.)

Find out the sha256 checksum of the apt package you just downloaded.

sha256sum *.deb

Should show.

31305b54003fd5f66db43b91f571821ebd82085cda76e10a9ea6b8f50372eeda  apt_1.0.9.8.4_i386.deb
2b0eba0a79bc23b546838f1dd8094ca656fc3512b202f58579c2d499209f4920  apt-transport-https_1.0.9.8.4_i386.deb
dee84ddde453a3c5ec950c5160b050e4de1ae07901b8792d4f59ab4b45cc8a2d  apt-utils_1.0.9.8.4_i386.deb
c494df2adaef819822e0bdd193f9b247a6fda56f5ba9ff3cd901791a4ffe9692  libapt-inst1.5_1.0.9.8.4_i386.deb
bb80257da752fb5a7f1dd25a14c43c0f17fd0cbbbc9bf5acdea66dc7377a06b2  libapt-pkg4.12_1.0.9.8.4_i386.deb

That checksums are matching

but it could therefore only be verified using https, not gpg.

Install the manually verified packages.

sudo dpkg -i *.deb

After that you should proceed with a system upgrade as usual.

If you wish you can delete the temporary folder ~/temp-apt-bug.

forum discussion:



Random News:

Have you read our Documentation, Technical Design and Developer Portal links yet?


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, the content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.