abeluck/USAGE.md

## check-apt-update.sh
#!/bin/sh -ex

apt -y -o Acquire::http::AllowRedirect=false update || true
apt -y -o Acquire::http::AllowRedirect=false upgrade --download-only || true

cd /var/cache/apt/archives

test -e apt-dbgsym_1.4.9_amd64.deb && \
    echo "1da507155c7b1ad140739c62fdacceaf5b5ee3765b1a00c3a3527d9d82a8d533  apt-dbgsym_1.4.9_amd64.deb" | sha256sum -c

test -e apt-transport-https-dbgsym_1.4.9_amd64.deb && \
    echo "59f3e1c91664fe3b47048794560ebe9c41f1eeccbdd95f7715282f8cbe449060  apt-transport-https-dbgsym_1.4.9_amd64.deb" | sha256sum -c

test -e apt-transport-https_1.4.9_amd64.deb && \
    echo "c8c4366d1912ff8223615891397a78b44f313b0a2f15a970a82abe48460490cb  apt-transport-https_1.4.9_amd64.deb" | sha256sum -c

test -e apt-utils-dbgsym_1.4.9_amd64.deb && \
    echo "e3e157c291b05b2899a545331c7597ab36ca04e02cd9010562b9985b76af60db  apt-utils-dbgsym_1.4.9_amd64.deb" | sha256sum -c

test -e apt-utils_1.4.9_amd64.deb && \
    echo "fb227d1c4615197a6263e7312851ac3601d946221cfd85f20427a15ab9658d15  apt-utils_1.4.9_amd64.deb" | sha256sum -c

test -e apt_1.4.9_amd64.deb && \
    echo "dddf4ff686845b82c6c778a70f1f607d0bb9f8aa43f2fb7983db4ff1a55f5fae  apt_1.4.9_amd64.deb" | sha256sum -c

test -e libapt-inst2.0-dbgsym_1.4.9_amd64.deb && \
    echo "0e66db1f74827f06c55ac36cc961e932cd0a9a6efab91b7d1159658bab5f533e  libapt-inst2.0-dbgsym_1.4.9_amd64.deb" | sha256sum -c

test -e libapt-inst2.0_1.4.9_amd64.deb && \
    echo "a099c57d20b3e55d224433b7a1ee972f6fdb79911322882d6e6f6a383862a57d  libapt-inst2.0_1.4.9_amd64.deb" | sha256sum -c

test -e libapt-pkg-dev_1.4.9_amd64.deb && \
    echo "cfb0a03ecd22aba066d97e75d4d00d791c7a3aceb2e5ec4fbee7176389717404  libapt-pkg-dev_1.4.9_amd64.deb" | sha256sum -c

test -e libapt-pkg5.0-dbgsym_1.4.9_amd64.deb && \
    echo "cdb03ddd57934e773a579a89f32f11567710a39d6ac289e73efb20e8825874d1  libapt-pkg5.0-dbgsym_1.4.9_amd64.deb" | sha256sum -c

test -e libapt-pkg5.0_1.4.9_amd64.deb && \
    echo "03281e3d1382826d5989c12c77a9b27f5f752b0f6aa28b524a2df193f7296e0b  libapt-pkg5.0_1.4.9_amd64.deb" | sha256sum -c

apt -y -o Acquire::http::AllowRedirect=false install --only-upgrade apt

## check-apt-update.sh.asc
-----BEGIN PGP MESSAGE-----

owGVln1olVUcxzffvcyXCha1RsdFgtVzd95fBqMmxQpE0BAajey87l523V33uZuO
FoTSHwWtVRLhSzbxJQhDKl9KSqKJFSaZfwhKQZmYJTGKkoKycymDSnfvnn8eeM5z
zvdzvr+Xc0bnTa/L1J968uj5Iy+s+6h+zxxnbrA5b3sT3V9OBvqdLvtsmuvu7Nx5
26JWk+9rTXMg8esymTgOkiGQFEGHfWwgX/Jtbblyub+traNQKK5d6V38ZMvtQRdS
D/5aCAwPg3JpwE91bk9JOw+SxBXX9hWK2iXFvsLQP4tlrAOtg7rUanUkb41rt+qS
zeUHfZrJlH0apTyo7MaZnnRozWqUpVm1Wq9xnGadN2DxYtCdAfHxNlcELchpBgVi
zAqDtEMUCqIsx8Fpa70OzDDvieAsjkJoiSYMC6ecxFo6RgiYRKsFDIM0pzHj6cAa
kNh/85VLui/tL5bKScWMtEZepgLxyCrEOQ2eGCoglUJRxqE3XlmKAvLeWuOcYkHE
nWGJg7TGU6ogh2AK2lPirwZupaWEc4cUwiFIjAlHTCpElNBCGkoDQcRAjQNiWgmo
o8MRWlIOI7g1VwWfGvFAOV+o1WcfXWbCYoUMZAZLpTSjMd7IChaJDeFWQ+ohtk5B
BBnHRinJjOA6cOj+xp1MsQbWapDB4JiMyNJoJYpUHHPiBUFYMqQt4RA5RTnGyAYn
WcCQYqGjvUZxJh1i4NpSk9JV43LOBRoCl1xSZiS23AohtYABRXOEg8aoILWmJOBg
hJLEmfg/0owFFrQHVxO5NlEhbyr7yPelZZyFNQYY+piMBgVBJRYBcstYxTJrFUde
kRhXqJXmPkS3kIkuI1ZxzWgTGQmJjDXJ1kpdDVdDpSwTDkNDPGMOY0oJMTGc3iuB
Aw8uGqkQIhhLiR33PHBNJJEc6zjvv7hT5uzv7UmcH6xa5iHWMCTeRkJtNIwmK+EF
c9RB6ISK9aOJtt5gz7ylwXgvkOBEqviikIIqerVwspqTwDoDScxWJhShXggSrVJa
xh4b2xBiPPZPqIlyXNvYAmJp+Vhy0EeDmRTUIVCTao3MVTOWYIk8cYjI2NO5Y0oq
i3AsLa1MzOHY7hk2MIZdY2kYphq7gBQJAivuoQGTy/2fckrndiWvdKEQz+3KcZ1c
OcbjGpmn68mMuvpMXXPjohm71KpTo+Ojt6D3pr905R4yc1rlwlGXmbvwypdzD83+
/fp7ext33LHy+eLINyNPIfDHpz90azB2X2lowaUlX7R/7z5sa2rf9+XKQwfvPrt/
5NjlFzeuPz707OH82a7s280PrGhIx26c2KXmbtbHujrHz2xY9t3mhh8LCw68s2xi
qbx/98+vPLenbv34V3PSI4MH333/s/burZ2vvr7p4dMXTxzfcCvs/bxNXjfvrhUb
m9TyMxdPbNs3687tHzdOvLV04bTRk6eOXlqy6tAbyy+rN+eOLJo30HXP6ZaJ/vTX
17KXPvn2wa/nb9l29NztY80zH39i/6Od9WPnz/5U2PLLLF23Z3zvI1t3rt/R8tt2
dYElF7bMbp6/MNOR3tyw5KZn9g3vbpjo2NS0d9XLh7sOzDz5QdOf
=2mc9
-----END PGP MESSAGE-----

## upgrade-apt.yml
---
- hosts: all
  become: yes
  tasks:
    - name: Get apt version
      command: apt --version
      register: apt_version

    - block:
        - debug:
            msg: "apt is already updated."
        - meta: end_play
      when: "'apt 1.4.9' in apt_version.stdout"

    - name: Update apt
      script: check-apt-update.sh
      register: output

    - debug:
        var: output

    - name: Get apt version
      command: apt --version
      register: apt_version

    - assert:
        that:
          - "'apt 1.4.9' in apt_version.stdout"

## USAGE.md

      
    Raw
  

              USAGE.md
            
          
    This only works on debian stretch (stable)
gpg --verify check-apt-update.sh.asc
ansible-playbook upgrade-apt.yml -i <YOURINV>
Thanks to @eighthave for original script.
Ref:

https://security-tracker.debian.org/tracker/CVE-2019-3462
https://lists.debian.org/debian-security-announce/2019/msg00010.html
	#!/bin/sh -ex

	apt -y -o Acquire::http::AllowRedirect=false update \|\| true
	apt -y -o Acquire::http::AllowRedirect=false upgrade --download-only \|\| true

	cd /var/cache/apt/archives

	test -e apt-dbgsym_1.4.9_amd64.deb && \
	echo "1da507155c7b1ad140739c62fdacceaf5b5ee3765b1a00c3a3527d9d82a8d533 apt-dbgsym_1.4.9_amd64.deb" \| sha256sum -c

	test -e apt-transport-https-dbgsym_1.4.9_amd64.deb && \
	echo "59f3e1c91664fe3b47048794560ebe9c41f1eeccbdd95f7715282f8cbe449060 apt-transport-https-dbgsym_1.4.9_amd64.deb" \| sha256sum -c

	test -e apt-transport-https_1.4.9_amd64.deb && \
	echo "c8c4366d1912ff8223615891397a78b44f313b0a2f15a970a82abe48460490cb apt-transport-https_1.4.9_amd64.deb" \| sha256sum -c

	test -e apt-utils-dbgsym_1.4.9_amd64.deb && \
	echo "e3e157c291b05b2899a545331c7597ab36ca04e02cd9010562b9985b76af60db apt-utils-dbgsym_1.4.9_amd64.deb" \| sha256sum -c

	test -e apt-utils_1.4.9_amd64.deb && \
	echo "fb227d1c4615197a6263e7312851ac3601d946221cfd85f20427a15ab9658d15 apt-utils_1.4.9_amd64.deb" \| sha256sum -c

	test -e apt_1.4.9_amd64.deb && \
	echo "dddf4ff686845b82c6c778a70f1f607d0bb9f8aa43f2fb7983db4ff1a55f5fae apt_1.4.9_amd64.deb" \| sha256sum -c

	test -e libapt-inst2.0-dbgsym_1.4.9_amd64.deb && \
	echo "0e66db1f74827f06c55ac36cc961e932cd0a9a6efab91b7d1159658bab5f533e libapt-inst2.0-dbgsym_1.4.9_amd64.deb" \| sha256sum -c

	test -e libapt-inst2.0_1.4.9_amd64.deb && \
	echo "a099c57d20b3e55d224433b7a1ee972f6fdb79911322882d6e6f6a383862a57d libapt-inst2.0_1.4.9_amd64.deb" \| sha256sum -c

	test -e libapt-pkg-dev_1.4.9_amd64.deb && \
	echo "cfb0a03ecd22aba066d97e75d4d00d791c7a3aceb2e5ec4fbee7176389717404 libapt-pkg-dev_1.4.9_amd64.deb" \| sha256sum -c

	test -e libapt-pkg5.0-dbgsym_1.4.9_amd64.deb && \
	echo "cdb03ddd57934e773a579a89f32f11567710a39d6ac289e73efb20e8825874d1 libapt-pkg5.0-dbgsym_1.4.9_amd64.deb" \| sha256sum -c

	test -e libapt-pkg5.0_1.4.9_amd64.deb && \
	echo "03281e3d1382826d5989c12c77a9b27f5f752b0f6aa28b524a2df193f7296e0b libapt-pkg5.0_1.4.9_amd64.deb" \| sha256sum -c

	apt -y -o Acquire::http::AllowRedirect=false install --only-upgrade apt
	-----BEGIN PGP MESSAGE-----

	owGVln1olVUcxzffvcyXCha1RsdFgtVzd95fBqMmxQpE0BAajey87l523V33uZuO
	FoTSHwWtVRLhSzbxJQhDKl9KSqKJFSaZfwhKQZmYJTGKkoKycymDSnfvnn8eeM5z
	zvdzvr+Xc0bnTa/L1J968uj5Iy+s+6h+zxxnbrA5b3sT3V9OBvqdLvtsmuvu7Nx5
	26JWk+9rTXMg8esymTgOkiGQFEGHfWwgX/Jtbblyub+traNQKK5d6V38ZMvtQRdS
	D/5aCAwPg3JpwE91bk9JOw+SxBXX9hWK2iXFvsLQP4tlrAOtg7rUanUkb41rt+qS
	zeUHfZrJlH0apTyo7MaZnnRozWqUpVm1Wq9xnGadN2DxYtCdAfHxNlcELchpBgVi
	zAqDtEMUCqIsx8Fpa70OzDDvieAsjkJoiSYMC6ecxFo6RgiYRKsFDIM0pzHj6cAa
	kNh/85VLui/tL5bKScWMtEZepgLxyCrEOQ2eGCoglUJRxqE3XlmKAvLeWuOcYkHE
	nWGJg7TGU6ogh2AK2lPirwZupaWEc4cUwiFIjAlHTCpElNBCGkoDQcRAjQNiWgmo
	o8MRWlIOI7g1VwWfGvFAOV+o1WcfXWbCYoUMZAZLpTSjMd7IChaJDeFWQ+ohtk5B
	BBnHRinJjOA6cOj+xp1MsQbWapDB4JiMyNJoJYpUHHPiBUFYMqQt4RA5RTnGyAYn
	WcCQYqGjvUZxJh1i4NpSk9JV43LOBRoCl1xSZiS23AohtYABRXOEg8aoILWmJOBg
	hJLEmfg/0owFFrQHVxO5NlEhbyr7yPelZZyFNQYY+piMBgVBJRYBcstYxTJrFUde
	kRhXqJXmPkS3kIkuI1ZxzWgTGQmJjDXJ1kpdDVdDpSwTDkNDPGMOY0oJMTGc3iuB
	Aw8uGqkQIhhLiR33PHBNJJEc6zjvv7hT5uzv7UmcH6xa5iHWMCTeRkJtNIwmK+EF
	c9RB6ISK9aOJtt5gz7ylwXgvkOBEqviikIIqerVwspqTwDoDScxWJhShXggSrVJa
	xh4b2xBiPPZPqIlyXNvYAmJp+Vhy0EeDmRTUIVCTao3MVTOWYIk8cYjI2NO5Y0oq
	i3AsLa1MzOHY7hk2MIZdY2kYphq7gBQJAivuoQGTy/2fckrndiWvdKEQz+3KcZ1c
	OcbjGpmn68mMuvpMXXPjohm71KpTo+Ojt6D3pr905R4yc1rlwlGXmbvwypdzD83+
	/fp7ext33LHy+eLINyNPIfDHpz90azB2X2lowaUlX7R/7z5sa2rf9+XKQwfvPrt/
	5NjlFzeuPz707OH82a7s280PrGhIx26c2KXmbtbHujrHz2xY9t3mhh8LCw68s2xi
	qbx/98+vPLenbv34V3PSI4MH333/s/burZ2vvr7p4dMXTxzfcCvs/bxNXjfvrhUb
	m9TyMxdPbNs3687tHzdOvLV04bTRk6eOXlqy6tAbyy+rN+eOLJo30HXP6ZaJ/vTX
	17KXPvn2wa/nb9l29NztY80zH39i/6Od9WPnz/5U2PLLLF23Z3zvI1t3rt/R8tt2
	dYElF7bMbp6/MNOR3tyw5KZn9g3vbpjo2NS0d9XLh7sOzDz5QdOf
	=2mc9
	-----END PGP MESSAGE-----
	---
	- hosts: all
	become: yes
	tasks:
	- name: Get apt version
	command: apt --version
	register: apt_version

	- block:
	- debug:
	msg: "apt is already updated."
	- meta: end_play
	when: "'apt 1.4.9' in apt_version.stdout"

	- name: Update apt
	script: check-apt-update.sh
	register: output

	- debug:
	var: output

	- name: Get apt version
	command: apt --version
	register: apt_version

	- assert:
	that:
	- "'apt 1.4.9' in apt_version.stdout"