Debian Security Advisory

DLA-0005-1 apt -- LTS security update

Date Reported:
12 Jun 2014
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 749795.
In Mitre's CVE dictionary: CVE-2011-3634, CVE-2014-0478.
More information:

Jakub Wilk discovered that APT, the high level package manager, did not properly perform authentication checks for source packages downloaded via "apt-get source". This only affects use cases where source packages are downloaded via this command; it does not affect regular Debian package installation and upgrading. (CVE-2014-0478)

It was discovered that APT incorrectly handled the Verify-Host configuration option. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to steal repository credentials. This only relevant for systems that use APT sources on https connections (requires the apt-transport-https package to be installed). (CVE-2011-3634)

For Debian 6 Squeeze, these issues have been fixed in apt version