apt security update

2014-06-1218:15:29

lists.debian.org

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:N/I:P/A:P

EPSS

0.001

Percentile

44.3%

JSON

Package : apt
Version : 0.8.10.3+squeeze2
CVE ID : CVE-2011-3634 CVE-2014-0478
Debian Bug : 749795

Jakub Wilk discovered that APT, the high level package manager,
did not properly perform authentication checks for source packages
downloaded via "apt-get source". This only affects use cases where
source packages are downloaded via this command; it does not
affect regular Debian package installation and upgrading.
(CVE-2014-0478)

It was discovered that APT incorrectly handled the Verify-Host
configuration option. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could potentially be used to steal
repository credentials. This only relevant for systems that use APT
sources on https connections (requires the apt-transport-https package
to be installed). (CVE-2011-3634)
Attachment:
signature.asc
Description: This is a digitally signed message part.

OSVersionArchitecturePackageVersionFilename
Debian7i386apt-transport-https< 0.9.7.9+deb7u2apt-transport-https_0.9.7.9+deb7u2_i386.deb
Debian7powerpclibapt-inst1.5< 0.9.7.9+deb7u2libapt-inst1.5_0.9.7.9+deb7u2_powerpc.deb
Debian7mipslibapt-pkg4.12< 0.9.7.9+deb7u2libapt-pkg4.12_0.9.7.9+deb7u2_mips.deb
Debian7mipsapt< 0.9.7.9+deb7u2apt_0.9.7.9+deb7u2_mips.deb
Debian7mipsellibapt-pkg4.12< 0.9.7.9+deb7u2libapt-pkg4.12_0.9.7.9+deb7u2_mipsel.deb
Debian7amd64libapt-pkg-dev< 0.9.7.9+deb7u2libapt-pkg-dev_0.9.7.9+deb7u2_amd64.deb
Debian6amd64apt-utils< 0.8.10.3+squeeze2apt-utils_0.8.10.3+squeeze2_amd64.deb
Debian7mipsellibapt-pkg-dev< 0.9.7.9+deb7u2libapt-pkg-dev_0.9.7.9+deb7u2_mipsel.deb
Debian7mipslibapt-pkg-dev< 0.9.7.9+deb7u2libapt-pkg-dev_0.9.7.9+deb7u2_mips.deb
Debian7i386libapt-pkg-dev< 0.9.7.9+deb7u2libapt-pkg-dev_0.9.7.9+deb7u2_i386.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	i386	apt-transport-https	< 0.9.7.9+deb7u2	apt-transport-https_0.9.7.9+deb7u2_i386.deb
Debian	7	powerpc	libapt-inst1.5	< 0.9.7.9+deb7u2	libapt-inst1.5_0.9.7.9+deb7u2_powerpc.deb
Debian	7	mips	libapt-pkg4.12	< 0.9.7.9+deb7u2	libapt-pkg4.12_0.9.7.9+deb7u2_mips.deb
Debian	7	mips	apt	< 0.9.7.9+deb7u2	apt_0.9.7.9+deb7u2_mips.deb
Debian	7	mipsel	libapt-pkg4.12	< 0.9.7.9+deb7u2	libapt-pkg4.12_0.9.7.9+deb7u2_mipsel.deb
Debian	7	amd64	libapt-pkg-dev	< 0.9.7.9+deb7u2	libapt-pkg-dev_0.9.7.9+deb7u2_amd64.deb
Debian	6	amd64	apt-utils	< 0.8.10.3+squeeze2	apt-utils_0.8.10.3+squeeze2_amd64.deb
Debian	7	mipsel	libapt-pkg-dev	< 0.9.7.9+deb7u2	libapt-pkg-dev_0.9.7.9+deb7u2_mipsel.deb
Debian	7	mips	libapt-pkg-dev	< 0.9.7.9+deb7u2	libapt-pkg-dev_0.9.7.9+deb7u2_mips.deb
Debian	7	i386	libapt-pkg-dev	< 0.9.7.9+deb7u2	libapt-pkg-dev_0.9.7.9+deb7u2_i386.deb