Debian Security Advisory
DLA-0005-1 apt -- LTS security update
- Date Reported:
- 12 Jun 2014
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 749795.
In Mitre's CVE dictionary: CVE-2011-3634, CVE-2014-0478.
- More information:
Jakub Wilk discovered that APT, the high level package manager, did not properly perform authentication checks for source packages downloaded via "apt-get source". This only affects use cases where source packages are downloaded via this command; it does not affect regular Debian package installation and upgrading. (CVE-2014-0478)
It was discovered that APT incorrectly handled the Verify-Host configuration option. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to steal repository credentials. This only relevant for systems that use APT sources on https connections (requires the apt-transport-https package to be installed). (CVE-2011-3634)
For Debian 6
Squeeze, these issues have been fixed in apt version 0.8.10.3+squeeze2