[SECURITY] [DLA 58-1] apt security update

2014-09-2317:05:35

lists.debian.org

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

9.7 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.4%

JSON

Package : apt
Version : 0.8.10.3+squeeze5
CVE ID : CVE-2014-6273

The Google Security Team discovered a buffer overflow vulnerability in
the HTTP transport code in apt-get. An attacker able to
man-in-the-middle a HTTP request to an apt repository can trigger the
buffer overflow, leading to a crash of the 'http' apt method binary, or
potentially to arbitrary code execution.

The following regression fixes were included in this update:

Fix regression from the previous update in DLA-53-1 when the custom
apt configuration option for Dir::state::lists is set to a relative
path (#762160).
Fix regression in the reverificaiton handling of cdrom: sources that
may lead to incorrect hashsum warnings. Affected users need to run
"apt-cdrom add" again after the update was applied.
Fix regression from the previous update in DLA-53-1 when file:///
sources are used and those are on a different partition than the apt
state directory.

OSVersionArchitecturePackageVersionFilename
Debian7sparclibapt-pkg4.12< 0.9.7.9+deb7u5libapt-pkg4.12_0.9.7.9+deb7u5_sparc.deb
Debian7kfreebsd-amd64apt-utils< 0.9.7.9+deb7u5apt-utils_0.9.7.9+deb7u5_kfreebsd-amd64.deb
Debian7mipsapt-utils< 0.9.7.9+deb7u5apt-utils_0.9.7.9+deb7u5_mips.deb
Debian7mipselapt-transport-https< 0.9.7.9+deb7u5apt-transport-https_0.9.7.9+deb7u5_mipsel.deb
Debian7sparcapt-utils< 0.9.7.9+deb7u5apt-utils_0.9.7.9+deb7u5_sparc.deb
Debian7mipsapt-transport-https< 0.9.7.9+deb7u5apt-transport-https_0.9.7.9+deb7u5_mips.deb
Debian6amd64apt< 0.8.10.3+squeeze5apt_0.8.10.3+squeeze5_amd64.deb
Debian7mipslibapt-pkg-dev< 0.9.7.9+deb7u5libapt-pkg-dev_0.9.7.9+deb7u5_mips.deb
Debian7kfreebsd-amd64apt< 0.9.7.9+deb7u5apt_0.9.7.9+deb7u5_kfreebsd-amd64.deb
Debian6i386libapt-pkg-dev< 0.8.10.3+squeeze5libapt-pkg-dev_0.8.10.3+squeeze5_i386.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	sparc	libapt-pkg4.12	< 0.9.7.9+deb7u5	libapt-pkg4.12_0.9.7.9+deb7u5_sparc.deb
Debian	7	kfreebsd-amd64	apt-utils	< 0.9.7.9+deb7u5	apt-utils_0.9.7.9+deb7u5_kfreebsd-amd64.deb
Debian	7	mips	apt-utils	< 0.9.7.9+deb7u5	apt-utils_0.9.7.9+deb7u5_mips.deb
Debian	7	mipsel	apt-transport-https	< 0.9.7.9+deb7u5	apt-transport-https_0.9.7.9+deb7u5_mipsel.deb
Debian	7	sparc	apt-utils	< 0.9.7.9+deb7u5	apt-utils_0.9.7.9+deb7u5_sparc.deb
Debian	7	mips	apt-transport-https	< 0.9.7.9+deb7u5	apt-transport-https_0.9.7.9+deb7u5_mips.deb
Debian	6	amd64	apt	< 0.8.10.3+squeeze5	apt_0.8.10.3+squeeze5_amd64.deb
Debian	7	mips	libapt-pkg-dev	< 0.9.7.9+deb7u5	libapt-pkg-dev_0.9.7.9+deb7u5_mips.deb
Debian	7	kfreebsd-amd64	apt	< 0.9.7.9+deb7u5	apt_0.9.7.9+deb7u5_kfreebsd-amd64.deb
Debian	6	i386	libapt-pkg-dev	< 0.8.10.3+squeeze5	libapt-pkg-dev_0.8.10.3+squeeze5_i386.deb