Update: 2020-03

it is very very confusing.

on the one side the whole world is moving towards https

SecurityLab, [25.03.20 15:55]

“Mozilla implements an additional HTTPS Only mode in Firefox 76, in which the browser will only accept encrypted connections, and all unencrypted requests will be redirected to secure pages.” (https://www.securitylab.ru/news/506168.php)

on the other (web)side there is: https://whydoesaptnotusehttps.com/

which says:

“Why not provide HTTPS anyway?”

“Your distribution could cryptographically sign the files using the existing scheme and additionally serve the files over HTTPS to provide “defense in depth.”

However, providing a huge worldwide mirror network available over SSL is not only a complicated engineering task (requiring the secure exchange and storage of private keys), it implies a misleading level of security and privacy to end-users as described above.

A switch to HTTPS would also mean you could not take advantage of local proxy servers for speeding up access and would additionally prohibit many kinds of peer-to-peer mirroring where files are stored on servers not controlled directly by your distribution. This would disproportionately affect users in remote locales.”

“Ah, what about replay attacks?”

“One issue with a naïve signing mechanism is that it does not guarantee that you are seeing the most up-to-date version of the archive.

This can lead to a replay attack where an attacker substitutes an archive with an earlier—unmodified—version of the archive. This would prevent APT from noticing new security updates which they could then exploit.

To mitigate this problem, APT archives includes a timestamp after which all the files are considered stale4.”

“Where can I find out more?”

“More technical details may be found on the SecureAPT wiki page.”

src: https://whydoesaptnotusehttps.com/

the website itself supports https://debian.org

but the main apt repository for security updates: http://security.debian.org/debian-security (works 2020-03-25) is not available via https.

(try to click here: https://security.debian.org/debian-security, failed in 2019-03 and still fails in 2020-03)

Why oh why?


su - root; # become root
apt update; # update package definitions
apt install apt-transport-https; # install https support for apt
apt update; # update package definitions to produce error like this:
Err:1 https://security.debian.org/debian-security buster/updates InRelease                                        
  Could not connect to security.debian.org:443 (151.101.192.204). - connect (111: Connection refused) Could not connect to security.debian.org:443 (151.101.64.204). - connect (111: Connection refused) Could not connect to security.debian.org:443 (151.101.0.204). - connect (111: Connection refused) Could not connect to security.debian.org:443 (151.101.128.204). - connect (111: Connection refused)

other repos can do https:

https://ftp.halifax.rwth-aachen.de/debian/

works just fine.

the problem some say:

“Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.” (src: nvd.nist.gov)

as it could be possible with Xiaomi phones:

“Guard Provider gets its updates through an unsecured HTTP connection, he said. This means that if an attacker was on the same Wi-Fi network as a potential victim, the hacker could insert malware in those updates through a “man-in-the-middle attack.”

That’s when a rogue network is set up to look exactly like the one you’re connected to and tricks the victim’s device into connecting to the fake Wi-Fi.” (src)

“Since the vulnerability is present in the package manager itself, it is recommended to disable redirects in order to prevent exploitation during this upgrade only, using:”

apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade

and then install:

apt install apt-transport-https

#then open up
vim /etc/apt/sources.list
# and change all http: to https:

:%s/http/https/g
# does the job
:wq
# now
apt update

….should fetch stuff via https if servers have it properly set up.

problems:

as one can see, https://security-cdn.debian.org/debian-security/

does not work.

http://security-cdn.debian.org/debian-security/

does.

so the debian mirrors are not properly configured to use SSL/TLS, for whatever reason.

again RWTH Aachen does a magnificent job:

deb https://ftp.halifax.rwth-aachen.de/debian/ stretch main non-free contrib
deb-src https://ftp.halifax.rwth-aachen.de/debian/ stretch main non-free contrib

the apt via http/https debate

“By default, Debian and Ubuntu both use plain http repositories out of the box (Debian lets you pick what mirror you want during installation, but doesn’t actually ship with support for https repositories – you have to install apt-transport-https first).

If packages manifests are signed, why bother using https? After all, the privacy gains are minimal, because the sizes of packages are well-known. And using https makes it more difficult to cache content.

People sometimes get really passionate about this. There are single purpose websites dedicated to explaining why using https is pointless in the context of apt.

They’re good points, but bugs like the one I wrote about in this post exist. And this bug isn’t even special – here’s a different one that Jann Horn found in 2016 with the same impact. Yes, a malicious mirror could still exploit a bug like this, even with https. But I suspect that a network adversary serving an exploit is far more likely than deb.debian.org serving one or their TLS certificate getting compromised.

(This is all assuming that apt-transport-https is itself not catastrophically broken. I haven’t audited it, but it looks like a relatively thin wrapper around libcurl.)

Supporting http is fine. I just think it’s worth making https repositories the default – the safer default – and allowing users to downgrade their security at a later time if they choose to do so. I wouldn’t have been able to exploit the Dockerfile at the top of this post if the default package servers had been using https.”

Conclusion:

Thank you to the apt maintainers for patching this vulnerability quickly, and to the Debian security team for coordinating the disclosure.

This bug has been assigned CVE-2019-3462.

src: https://justi.cz/security/2019/01/22/apt-rce.html

one fine day…

strange sha256sum checksum errors occured during apt update, apt upgrade.

user@laptop4:~$ su
Passwort: 
root@laptop4:/home/user# apt update
Ign:1 http://ftp.halifax.rwth-aachen.de/debian stretch InRelease               
Holen:2 http://security.debian.org/debian-security stretch/updates InRelease [94,3 kB]
Holen:3 http://ftp.halifax.rwth-aachen.de/debian stretch-updates InRelease [91,0 kB]
Holen:4 http://security.debian.org/debian-security stretch/updates/main Sources [211 kB]
Holen:5 http://security.debian.org/debian-security stretch/updates/non-free Sources [1.216 B]
Holen:6 http://security.debian.org/debian-security stretch/updates/main amd64 Packages [500 kB]
Holen:7 http://security.debian.org/debian-security stretch/updates/main Translation-en [223 kB]                                                                                                     
Holen:8 http://security.debian.org/debian-security stretch/updates/non-free amd64 Packages [1.596 B]                                                                                                
Holen:9 http://ftp.halifax.rwth-aachen.de/debian stretch Release [118 kB]                                                                                                                           
Holen:10 http://ftp.halifax.rwth-aachen.de/debian stretch-updates/main Sources.diff/Index [10,6 kB]                                                                                                 
Holen:11 http://ftp.halifax.rwth-aachen.de/debian stretch-updates/main amd64 Packages.diff/Index [10,6 kB]                                                                                          
Holen:12 http://ftp.halifax.rwth-aachen.de/debian stretch-updates/main Translation-en.diff/Index [6.148 B]                                                                                          
Holen:13 http://ftp.halifax.rwth-aachen.de/debian stretch Release.gpg [2.434 B]                                                                                                                     
Holen:14 http://ftp.halifax.rwth-aachen.de/debian stretch-updates/main Sources 2019-07-08-0821.07.pdiff [534 B]                                                                                     
Holen:15 http://ftp.halifax.rwth-aachen.de/debian stretch-updates/main amd64 Packages 2019-07-08-0821.07.pdiff [445 B]                                                                              
Holen:16 http://ftp.halifax.rwth-aachen.de/debian stretch-updates/main Translation-en 2019-07-08-0821.07.pdiff [196 B]                                                                              
Holen:14 http://ftp.halifax.rwth-aachen.de/debian stretch-updates/main Sources 2019-07-08-0821.07.pdiff [534 B]                                                                                     
Holen:15 http://ftp.halifax.rwth-aachen.de/debian stretch-updates/main amd64 Packages 2019-07-08-0821.07.pdiff [445 B]                                                                              
Holen:16 http://ftp.halifax.rwth-aachen.de/debian stretch-updates/main Translation-en 2019-07-08-0821.07.pdiff [196 B]                                                                              
Es wurden 1.271 kB in 9 s geholt (140 kB/s).                                                                                                                                                        
Paketlisten werden gelesen... Fertig
E: Der Treiber für Methode /usr/lib/apt/methods/https konnte nicht gefunden werden.
N: Ist das Paket apt-transport-https installiert?
E: Fehlschlag beim Holen von https://download.virtualbox.org/virtualbox/debian/dists/stretch/InRelease  
E: Einige Indexdateien konnten nicht heruntergeladen werden. Sie wurden ignoriert oder alte an ihrer Stelle benutzt.
root@laptop4:/home/user# apt upgrade
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.       
Statusinformationen werden eingelesen.... Fertig
Paketaktualisierung (Upgrade) wird berechnet... Fertig
Die folgenden NEUEN Pakete werden installiert:
  firmware-linux-free irqbalance linux-image-4.9.0-9-amd64
Die folgenden Pakete sind zurückgehalten worden:
  default-jre default-jre-headless icedtea-netx
Die folgenden Pakete werden aktualisiert (Upgrade):
  apt apt-utils base-files bind9-host ca-certificates-java chromium chromium-l10n cups cups-browsed cups-bsd cups-client cups-common cups-core-drivers cups-daemon cups-filters
  cups-filters-core-drivers cups-ppdc cups-server-common curl dbus dbus-user-session dbus-x11 debian-archive-keyring dns-root-data firefox-esr firefox-esr-l10n-de firmware-iwlwifi
  fonts-opensymbol ghostscript gnupg gnupg-agent gpgv gstreamer1.0-plugins-base gstreamer1.0-x icedtea-netx-common imagemagick imagemagick-6-common imagemagick-6.q16 java-common libapt-inst2.0
  libapt-pkg5.0 libarchive13 libavcodec57 libavfilter6 libavformat57 libavresample3 libavutil55 libbasicusageenvironment1 libbind9-140 libc-bin libc-dev-bin libc-l10n libc6 libc6-dev libc6-i386
  libcups2 libcupscgi1 libcupsfilters1 libcupsimage2 libcupsmime1 libcupsppdc1 libcurl3 libcurl3-gnutls libdbus-1-3 libdns-export162 libdns162 libexpat1 libfontembed1 libgd3 libgroupsock8 libgs9
  libgs9-common libgstreamer-plugins-base1.0-0 libisc-export160 libisc160 libisccc140 libisccfg140 libldb1 liblivemedia57 liblwres141 libmagickcore-6.q16-3 libmagickcore-6.q16-3-extra
  libmagickwand-6.q16-3 libmariadbclient18 libntfs-3g871 libopenjp2-7 libpam-systemd libpng16-16 libpostproc54 libpq5 libqt5core5a libqt5dbus5 libqt5gui5 libqt5network5 libqt5opengl5
  libqt5printsupport5 libqt5widgets5 libreoffice libreoffice-avmedia-backend-gstreamer libreoffice-base libreoffice-base-core libreoffice-base-drivers libreoffice-calc libreoffice-common
  libreoffice-core libreoffice-draw libreoffice-gtk3 libreoffice-help-de libreoffice-help-en-us libreoffice-impress libreoffice-java-common libreoffice-l10n-de libreoffice-librelogo
  libreoffice-math libreoffice-nlpsolver libreoffice-ogltrans libreoffice-pdfimport libreoffice-report-builder libreoffice-report-builder-bin libreoffice-script-provider-bsh
  libreoffice-script-provider-js libreoffice-script-provider-python libreoffice-sdbc-hsqldb libreoffice-sdbc-postgresql libreoffice-style-galaxy libreoffice-style-tango libreoffice-wiki-publisher
  libreoffice-writer libsmbclient libssh-gcrypt-4 libssh2-1 libssl1.0.2 libssl1.1 libswresample2 libswscale4 libsystemd0 libudev1 libusageenvironment3 libvlc-bin libvlc5 libvlccore9 libvncclient1
  libvncserver1 libwayland-client0 libwayland-cursor0 libwayland-server0 libwbclient0 libxapian30 libzmq5 lightning linux-compiler-gcc-6-x86 linux-image-amd64 linux-kbuild-4.9 linux-libc-dev
  locales multiarch-support mumble ntfs-3g openjdk-8-jre openjdk-8-jre-headless openssh-client openssh-server openssh-sftp-server openssl python-cryptography python-ldb python-samba python3-uno
  qt5-gtk-platformtheme rdesktop rtkit samba-common samba-common-bin samba-libs systemd systemd-sysv thunderbird tzdata udev uno-libs3 unzip ure vim vim-common vim-runtime vim-tiny vlc vlc-bin
  vlc-data vlc-l10n vlc-plugin-base vlc-plugin-notify vlc-plugin-qt vlc-plugin-samba vlc-plugin-skins2 vlc-plugin-video-output vlc-plugin-video-splitter vlc-plugin-visualization wget
  wpasupplicant xxd
201 aktualisiert, 3 neu installiert, 0 zu entfernen und 3 nicht aktualisiert.
Es müssen 414 MB an Archiven heruntergeladen werden.
Nach dieser Operation werden 238 MB Plattenplatz zusätzlich benutzt.
Möchten Sie fortfahren? [J/n] J
Holen:1 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 base-files amd64 9.9+deb9u9 [67,4 kB]
Holen:2 http://security.debian.org/debian-security stretch/updates/main amd64 linux-libc-dev amd64 4.9.168-1+deb9u4 [1.422 kB]
Holen:3 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libc6-i386 amd64 2.24-11+deb9u4 [2.597 kB]
Holen:4 http://security.debian.org/debian-security stretch/updates/main amd64 dbus-user-session all 1.10.28-0+deb9u1 [79,2 kB]
Holen:5 http://security.debian.org/debian-security stretch/updates/main amd64 dbus-x11 amd64 1.10.28-0+deb9u1 [91,7 kB]
Holen:6 http://security.debian.org/debian-security stretch/updates/main amd64 dbus amd64 1.10.28-0+deb9u1 [212 kB]
Holen:7 http://security.debian.org/debian-security stretch/updates/main amd64 libdbus-1-3 amd64 1.10.28-0+deb9u1 [195 kB]
Holen:8 http://security.debian.org/debian-security stretch/updates/main amd64 libexpat1 amd64 2.2.0-2+deb9u2 [83,6 kB]
Holen:9 http://security.debian.org/debian-security stretch/updates/main amd64 libpng16-16 amd64 1.6.28-1+deb9u1 [280 kB]
Holen:10 http://security.debian.org/debian-security stretch/updates/main amd64 libcupsfilters1 amd64 1.11.6-3+deb9u1 [129 kB]                                                                       
Holen:11 http://security.debian.org/debian-security stretch/updates/main amd64 cups-filters-core-drivers amd64 1.11.6-3+deb9u1 [205 kB]                                                             
Holen:12 http://security.debian.org/debian-security stretch/updates/main amd64 libfontembed1 amd64 1.11.6-3+deb9u1 [96,3 kB]                                                                        
Holen:13 http://security.debian.org/debian-security stretch/updates/main amd64 ghostscript amd64 9.26a~dfsg-0+deb9u3 [99,0 kB]                                                                      
Holen:14 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libc6-dev amd64 2.24-11+deb9u4 [2.364 kB]                                                                                      
Holen:15 http://security.debian.org/debian-security stretch/updates/main amd64 libgs9 amd64 9.26a~dfsg-0+deb9u3 [2.212 kB]                                                                          
Holen:16 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libc-dev-bin amd64 2.24-11+deb9u4 [259 kB]                                                                                     
Holen:61 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libwayland-client0 amd64 1.12.0-1+deb9u1 [25,1 kB]                                                                             
Holen:62 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libarchive13 amd64 3.2.2-2+deb9u1 [294 kB]                                                                                     
Holen:63 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libssh-gcrypt-4 amd64 0.7.3-2+deb9u2 [170 kB]                                                                                  
Holen:16 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libc-dev-bin amd64 2.24-11+deb9u4 [259 kB]                                                                                     
Fehl:16 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libc-dev-bin amd64 2.24-11+deb9u4                                                                                               
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:f165e460021e06cb932acdd00a892c01f96634be03b3299e66d397c7376dc2c6
   - MD5Sum:553d472b458092f36154e3e536efc4b0 [weak]
   - Filesize:258858 [weak]
  Hashes of received file:
   - SHA256:5768dcebdeda7dc90b03f1fd07a932c7d28425393e6a87cbe21075b5c206a7c7
   - MD5Sum:1c43631a13be1dc7b755248bede4beb7 [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:17 +0000
Holen:17 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libc6 amd64 2.24-11+deb9u4 [2.694 kB]                                                                                          
Fehl:17 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libc6 amd64 2.24-11+deb9u4                                                                                                      
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:c4602def4345f4db0e04a6d6164c7aa35656a5a45092dea74e601fa7b90300d2
   - MD5Sum:5f716a18e07f14b904ff15a212c3b87c [weak]
   - Filesize:2693628 [weak]
  Hashes of received file:
   - SHA256:2efc4331c5aa180766e93d82fedfdd29691a70686aad1cf70d6cc57cf59e1433
   - MD5Sum:527c467abec31c073998473a03f183ba [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:17 +0000
Holen:64 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libbasicusageenvironment1 amd64 2016.11.28-1+deb9u2 [21,8 kB]                                                                  
Holen:18 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libc-bin amd64 2.24-11+deb9u4 [782 kB]                                                                                         
Fehl:18 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libc-bin amd64 2.24-11+deb9u4                                                                                                   
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:bec80c1aff443c42fd68e4bf3ed86329faf8e96a3bffb9c71553c38774b1546b
   - MD5Sum:981b6d923c801136c0c6195dd4edc183 [weak]
   - Filesize:782390 [weak]
  Hashes of received file:
   - SHA256:382e884b6afed3a4551c28aeb479bf5a4bb6e07995811899654ef34e4c6fcb3b
   - MD5Sum:10f839fe75be239a81870f7c87fedad2 [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:17 +0000
Holen:19 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libapt-pkg5.0 amd64 1.4.9 [916 kB]                                                                                             
Ign:19 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libapt-pkg5.0 amd64 1.4.9                                                                                                        
Holen:20 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libapt-inst2.0 amd64 1.4.9 [192 kB]                                                                                            
Holen:65 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libgroupsock8 amd64 2016.11.28-1+deb9u2 [27,4 kB]                                                                              
Ign:20 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libapt-inst2.0 amd64 1.4.9                                                                                                       
Holen:21 http://ftp.halifax.rwth-aachen.de/debian stretch-updates/main amd64 debian-archive-keyring all 2017.5+deb9u1 [73,9 kB]                                                                     
Fehl:21 http://ftp.halifax.rwth-aachen.de/debian stretch-updates/main amd64 debian-archive-keyring all 2017.5+deb9u1                                                                                
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:019a2e650d41203d01898288520bc830affe85db68854558e6625878fb1fdc09
   - MD5Sum:a329179abe742223feec1efb9947fb39 [weak]
   - Filesize:73930 [weak]
  Hashes of received file:
   - SHA256:4dbc78e8970ebc3dd3a7c4892aff4419a8d77e8e417e4b12daf9baf29e9ff131
   - MD5Sum:700e0300a312f3013896b2402c1b3001 [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:17 +0000
Holen:22 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 apt amd64 1.4.9 [1.232 kB]                                                                                                     
Ign:22 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 apt amd64 1.4.9                                                                                                                  
Holen:66 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 liblivemedia57 amd64 2016.11.28-1+deb9u2 [310 kB]                                                                              
Holen:23 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 apt-utils amd64 1.4.9 [410 kB]                                                                                                 
Ign:23 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 apt-utils amd64 1.4.9                                                                                                            
Holen:24 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 gpgv amd64 2.1.18-8~deb9u4 [481 kB]                                                                                            
Fehl:24 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 gpgv amd64 2.1.18-8~deb9u4                                                                                                      
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:1a45dc09d331c977851a04cec65d86fa185122434b229784b2d5d504c57eea30
   - MD5Sum:397ad47d4296fcc69e3858fd0ec9cac8 [weak]
   - Filesize:480726 [weak]
  Hashes of received file:
   - SHA256:3615e5e88639dd29d9ea34602cf9de18998bc5dd3152e2bbc18d531f779889f3
   - MD5Sum:1407031b053cd1351406e4c8e01cc801 [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:17 +0000
Holen:25 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 systemd-sysv amd64 232-25+deb9u11 [82,4 kB]                                                                                    
Holen:67 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libusageenvironment3 amd64 2016.11.28-1+deb9u2 [12,6 kB]                                                                       
Ign:25 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 systemd-sysv amd64 232-25+deb9u11                                                                                                
Holen:26 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libpam-systemd amd64 232-25+deb9u11 [189 kB]                                                                                   
Ign:26 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libpam-systemd amd64 232-25+deb9u11                                                                                              
Holen:27 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libsystemd0 amd64 232-25+deb9u11 [281 kB]                                                                                      
Ign:27 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libsystemd0 amd64 232-25+deb9u11                                                                                                 
Holen:68 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 multiarch-support amd64 2.24-11+deb9u4 [201 kB]                                                                                
Holen:28 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 systemd amd64 232-25+deb9u11 [2.471 kB]                                                                                        
Ign:28 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 systemd amd64 232-25+deb9u11                                                                                                     
Holen:29 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 udev amd64 232-25+deb9u11 [1.115 kB]                                                                                           
Ign:29 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 udev amd64 232-25+deb9u11                                                                                                        
Holen:30 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libudev1 amd64 232-25+deb9u11 [126 kB]                                                                                         
Ign:30 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libudev1 amd64 232-25+deb9u11                                                                                                    
Holen:31 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libcupsmime1 amd64 2.2.1-8+deb9u3 [117 kB]                                                                                     
Holen:69 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 tzdata all 2019a-0+deb9u1 [273 kB]                                                                                             
Fehl:31 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libcupsmime1 amd64 2.2.1-8+deb9u3                                                                                               
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:c544252076f12fd6f65e6b23fea7d8c099b478844bbc1cd00b1101a7c7b5e615
   - MD5Sum:728d468e6f04264cca5750aed9ae1eea [weak]
   - Filesize:117436 [weak]
  Hashes of received file:
   - SHA256:1501806a05bcf5ad002345921505b968c5dc9508423ec1fbdc318d107bf6d61f
   - MD5Sum:c29c35fda8a1e1f1b04bb41e951c68e7 [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:17 +0000
Holen:32 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libcupsimage2 amd64 2.2.1-8+deb9u3 [122 kB]                                                                                    
Fehl:32 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libcupsimage2 amd64 2.2.1-8+deb9u3                                                                                              
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:546d333b18f83839bd977949a3f20fab20f5a85b8ad194ad7d30d1904ca642c5
   - MD5Sum:678b9d8ad66df4ad195650286f98f8e4 [weak]
   - Filesize:121592 [weak]
  Hashes of received file:
   - SHA256:45736c5624300aec29016740a4c82c762415d834aa90248161eee7429b837802
   - MD5Sum:66f473c539aca63e9452df79642f2819 [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:17 +0000
Holen:33 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 cups-core-drivers amd64 2.2.1-8+deb9u3 [131 kB]                                                                                
Fehl:33 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 cups-core-drivers amd64 2.2.1-8+deb9u3                                                                                          
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:9f5890c82542270f405a0fb923bbbaeaa2f69e0c7d84bdfc335f7b22110dce17
   - MD5Sum:9279b22479d25bf5b3b5d3957baa6c43 [weak]
   - Filesize:130822 [weak]
  Hashes of received file:
   - SHA256:b6aff965e98917ee8fab847e583f4ae2fba0e15705a3d4dc562be85f8c8d21ff
   - MD5Sum:31dd0ed07b5f9f5b75301e8da1435ec0 [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:18 +0000
Holen:34 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 cups-server-common all 2.2.1-8+deb9u3 [579 kB]                                                                                 
Fehl:34 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 cups-server-common all 2.2.1-8+deb9u3                                                                                           
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:203e7aefa3c646ca4a670dad80e07bdded8c6bcbe3aa5d09a75c1fb97f0333d9
   - MD5Sum:cce351e62ae392f2ad900b8f76f98801 [weak]
   - Filesize:578900 [weak]
  Hashes of received file:
   - SHA256:5d7c20a32f38b9460ed55933478babde33ce815e8090bdb95f15d4eb23f2ac68
   - MD5Sum:f26623224316c910386552ebac12b13c [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:18 +0000
Holen:35 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libopenjp2-7 amd64 2.1.2-1.1+deb9u3 [122 kB]                                                                                   
Ign:35 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libopenjp2-7 amd64 2.1.2-1.1+deb9u3                                                                                              
Holen:36 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libcupsppdc1 amd64 2.2.1-8+deb9u3 [149 kB]                                                                                     
Fehl:36 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libcupsppdc1 amd64 2.2.1-8+deb9u3                                                                                               
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:cad5a2c68ef93b66760b9934520248695b1703320e9a89afb53e9f01b8d0b246
   - MD5Sum:00d6f582865502cd216f9025de1b9a61 [weak]
   - Filesize:148932 [weak]
  Hashes of received file:
   - SHA256:bf69e443873ff01e7b119d1cc9d18860f491a0e140f80fa3b51766cc029eeda3
   - MD5Sum:af8a78415158d2e649e28d7593d76564 [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:18 +0000
Holen:37 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libcupscgi1 amd64 2.2.1-8+deb9u3 [131 kB]                                                                                      
Fehl:37 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libcupscgi1 amd64 2.2.1-8+deb9u3                                                                                                
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:0f48592c3f75e6eed1b4dbec52971c7f466097b41bfc1268744d1aab8b9c42dd
   - MD5Sum:334c97068ddffca4543f1d2c3d5113c7 [weak]
   - Filesize:130846 [weak]
  Hashes of received file:
   - SHA256:0d1b4412d20eb1d0fcdfbf4b0bb43a55f5998e9c397e9d0a2b853d42ba1c8d72
   - MD5Sum:a0ac9b54e0c0c41489aaf1f947f265bd [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:18 +0000
Holen:38 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 cups-daemon amd64 2.2.1-8+deb9u3 [405 kB]                                                                                      
Fehl:38 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 cups-daemon amd64 2.2.1-8+deb9u3                                                                                                
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:7262b4615c92cd1427fa4b5bc322ac118944c576a9ba739e0460513740ecdc08
   - MD5Sum:bbb9e051de96b627f51c494a84182d31 [weak]
   - Filesize:404792 [weak]
  Hashes of received file:
   - SHA256:747e41a7607a639573ffe27e3a0d8d8ab765a6819e3cb7d9fa4c6900e8e96670
   - MD5Sum:9eb44b6b10c81c1944dd08c1b8a0f347 [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:18 +0000
Holen:39 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 cups-bsd amd64 2.2.1-8+deb9u3 [38,0 kB]                                                                                        
Fehl:39 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 cups-bsd amd64 2.2.1-8+deb9u3                                                                                                   
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:9259b9cb24eaa20c111945d36b469ddc0fd435a45b011cfaffe017d90526846f
   - MD5Sum:2a10fd13d53b8618c587c38ed8c17e8f [weak]
   - Filesize:37984 [weak]
  Hashes of received file:
   - SHA256:cdbc1ead9e065c98796a2a35c5865346c13add239b1a7ad11df5be59a697721c
   - MD5Sum:252042de1c9e5756dd4c7d8de01a48fd [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:18 +0000
Holen:40 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 cups-client amd64 2.2.1-8+deb9u3 [239 kB]                                                                                      
Fehl:40 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 cups-client amd64 2.2.1-8+deb9u3                                                                                                
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:0bd8ff41b568348625534368037645059b6a410042f43715324a6edfcb827fb8
   - MD5Sum:c11636497b2058b6adbfbbd601f1699f [weak]
   - Filesize:238586 [weak]
  Hashes of received file:
   - SHA256:316a75d484dd93feea46b99bb4817935c2e30b1385beda69a207dca476743fdf
   - MD5Sum:99d9d8aa9b8a5f056ca5b678c7d0d294 [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:18 +0000
Holen:41 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libcups2 amd64 2.2.1-8+deb9u3 [306 kB]                                                                                         
Fehl:41 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libcups2 amd64 2.2.1-8+deb9u3                                                                                                   
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:ff10dee95eb95d27677e15ff2cafda27acc77c80ba633ea10bf38c667cf9b3aa
   - MD5Sum:fafef00b4cabd24e23b8f5c5b65374e0 [weak]
   - Filesize:306118 [weak]
  Hashes of received file:
   - SHA256:ecca567eab385ce8a8fd44e61daa451aaac0102057822f79e91e39d30a6aab76
   - MD5Sum:643dabcaf215c3bbf49a8a9e46dd8ecd [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:18 +0000
Holen:42 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 cups amd64 2.2.1-8+deb9u3 [292 kB]                                                                                             
Fehl:42 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 cups amd64 2.2.1-8+deb9u3                                                                                                       
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:9b702dc94e0ba226d6e2e09e4038112540041aa0f7b03d61a6eea66be983a427
   - MD5Sum:ba4694afd17c06bba74e9662132d671c [weak]
   - Filesize:292468 [weak]
  Hashes of received file:
   - SHA256:7e6fea9adeab5bec909c278403f7985a78d961e5e76a4c58cdd3a17aeb66e27f
   - MD5Sum:83864a85f3321264186ad3d8fd832796 [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:18 +0000
Holen:43 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 cups-common all 2.2.1-8+deb9u3 [261 kB]                                                                                        
Fehl:43 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 cups-common all 2.2.1-8+deb9u3                                                                                                  
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:2fc71eb63ec5e967dc0992bab9d3a0f75a86f92353f6935d7bf55876128bbe3d
   - MD5Sum:2b3cc48a4e88be8dd24d116d0018f475 [weak]
   - Filesize:261400 [weak]
  Hashes of received file:
   - SHA256:ccdfa75f35ad15c07fa6bf4332ce1123b1961634635b4ad5484e424810b125d4
   - MD5Sum:bf2fe441180034fdd28ed9793e45cc7e [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:18 +0000
Holen:44 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 cups-ppdc amd64 2.2.1-8+deb9u3 [131 kB]                                                                                        
Fehl:44 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 cups-ppdc amd64 2.2.1-8+deb9u3                                                                                                  
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:18f240245a7e36be2365f07ca4e1786f776d6bb15fc894c1d2f64d5b0fab75e8
   - MD5Sum:36dc8c8a4aa35af16fb1e49e3186bf8f [weak]
   - Filesize:130666 [weak]
  Hashes of received file:
   - SHA256:5dfec870e8b5e339ea2f45ae77a598bb946bbabe3f255b116260e0530fb8a7e1
   - MD5Sum:2b8d3940f26c95b468561b554a73f89a [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:18 +0000
Holen:45 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 ca-certificates-java all 20170929~deb9u3 [15,1 kB]                                                                             
Fehl:45 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 ca-certificates-java all 20170929~deb9u3                                                                                        
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:735ca819679981197b705c54c6ab0321308ebd8038256fe863875e46f26c2d64
   - MD5Sum:e00c12454af40fedb8e76a298cee4d78 [weak]
   - Filesize:15070 [weak]
  Hashes of received file:
   - SHA256:c001b7b9f9674ff493994cb292f25cfa345ebb1c5d39de083becc4bc0fd56f22
   - MD5Sum:2096eadd8523bfd6c90fbe2055c53ec6 [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:18 +0000
Holen:46 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 java-common all 0.58+deb9u1 [13,6 kB]                                                                                          
Fehl:46 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 java-common all 0.58+deb9u1                                                                                                     
  Writing more data than expected (15928 > 13628)
  Hashes of expected file:
   - SHA256:ceee63ee76d04af5d95785a4586cd621ad9cbf6a87ee54c7e163c6d1434c4765
   - MD5Sum:4e0f2cc443a4f2890a98cc4be3fbc429 [weak]
   - Filesize:13628 [weak]
Holen:47 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libc-l10n all 2.24-11+deb9u4 [820 kB]                                                                                          
Fehl:47 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 libc-l10n all 2.24-11+deb9u4                                                                                                    
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:768bba9f4f1f8199f6a50513e897184dbbf0135e6036e6c1f207c216520de83b
   - MD5Sum:8540a72582a4392ab3767f5a399222ef [weak]
   - Filesize:819762 [weak]
  Hashes of received file:
   - SHA256:9c2275ae35dc11a96a02f123bb1b0e119d9d79564d0bd18f4bf0df956d158101
   - MD5Sum:ed5a7e2f1065cb339dada552dec5c1f0 [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:18 +0000
Holen:48 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 locales all 2.24-11+deb9u4 [3.289 kB]                                                                                          
Fehl:48 http://ftp.halifax.rwth-aachen.de/debian stretch/main amd64 locales all 2.24-11+deb9u4                                                                                                      
  Hash-Summe stimmt nicht überein
  Hashes of expected file:
   - SHA256:7a57eeecdf1150b5daa7de0b8a2a27500a4ffb2716fca8544610015962822543
   - MD5Sum:4d9413dc5d9cee005cd06db4033f59f7 [weak]
   - Filesize:3288578 [weak]
  Hashes of received file:
   - SHA256:75e040ed7683f8ce43f9c6c43abec9a7824dd09aa5b8802f39628eb74d021871
   - MD5Sum:b4a4892c5e001e93501cf93ac987aa8e [weak]
   - Filesize:17349 [weak]
  Last modification reported: Sun, 04 Aug 2019 09:48:18 +0000

there is probably no problem with the udpate server… and everyone hope it stays that way.

apt-get clean
rm -rf /var/lib/apt/lists/*
apt-get clean
apt-get update
apt-get upgrade

says this will fix the problem

admin