https://linux.slashdot.org/story/19/01/26/0350252/do-debian-apt-and-php-pear-patches-highlight-vulnerability-in-package-management-infrastructure“Time and again, security experts and vendors alike will recommend to organizations and end users to keep software and systems updated with the latest patches,” reports eWeek. “But what happens when the application infrastructure that is supposed to deliver those patches itself is at risk? ”
That’s what open-source and Linux users were faced with this past week with a pair of projects reporting vulnerabilities. On January 22, the Debian Linux distribution reported a vulnerability in its APT package manager that is used by end users and organizations to get application updates. That disclosure was followed a day later, on January 23, with the PHP PEAR (PHP Extension and Application Repository) shutting down its primary website, warning that it was the victim of a data breach. PHP PEAR is a package manager that is included with many Linux distributions as part of the open-source PHP programming language binaries….
In the Debian APT case, a security researcher found a flaw, reported it, and the open-source project community responded rapidly , fixing the issue. With PHP PEAR issue, researchers with the Paranoids FIRE (Forensics, Incident Response and Engineering) Team reported that they discovered a tainted file on the primary PEAR website… Both PHP PEAR and Debian have issued updates fixing their respective issues. While both projects are undoubtably redoubling their efforts now with different security technologies and techniques, the simple fact is that the two issues highlight a risk with users trusting updating tools and package management systems.