[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 58-1] apt security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : apt
Version        : 0.8.10.3+squeeze5
CVE ID         : CVE-2014-6273

The Google Security Team discovered a buffer overflow vulnerability in
the HTTP transport code in apt-get. An attacker able to
man-in-the-middle a HTTP request to an apt repository can trigger the
buffer overflow, leading to a crash of the 'http' apt method binary, or
potentially to arbitrary code execution.

The following regression fixes were included in this update:

 * Fix regression from the previous update in DLA-53-1 when the custom
   apt configuration option for Dir::state::lists is set to a relative
   path (#762160).

 * Fix regression in the reverificaiton handling of cdrom: sources that
   may lead to incorrect hashsum warnings. Affected users need to run
   "apt-cdrom add" again after the update was applied.

 * Fix regression from the previous update in DLA-53-1 when file:///
   sources are used and those are on a different partition than the apt
   state directory.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUIagzAAoJEAVMuPMTQ89EwLwQAJfP6JBpVHpPdPQwWMRoOGEo
J7pB5rkaR0gMVOfKyJNdSAu8isybdLrDO2kHiZ6354Y3xfHO56qjGg7fG1nu3cVD
fZMQfgFNkcvGPDz2453z2F9/rENLTX0jSKfapQ1EJpBr5fQXDlaUYXPFwQ071vZy
XdzIDbI0DU2R11Um7XeNWH6hMfdGFdZhhYMAN2WkJsIjX/slN7QLTJ+YNrHI6E6B
W/q0OVFs8DU2ZdGZWq3JoeH1fvu4drR96jA9ZcctYciYaK5Qlq3/pWy4KYGzPN/V
4+VPKQJplxKNaUZRgAuzViN9oPLpsMy7ctq5OS+mzEZqF3I8+14LvOOh/8WklS8E
TDxUlmxQ+o0W6BZhspbGOVsz0y/9AJmVqoC47Y+sYdvpY9zldFwHfmrogt2f/pg8
axfxwaM4y8FJKWhU1qjZeDjfMntdofb1Ip2yGlUduHs1IJy3Scz88CzEtn+M00pt
yWEyeuTlRR9HZ9FlCYoBFYHR7vqfI4LG22NZW8u8f0IibO1y/3apoRNoP6I9YNTG
oMQGlavb5VE+VlfE10mog+wLR7UPaEVWgjUU7/T8rMFCC4NijUotm+mowD3I+q7C
8ZGa9azTx16zwS/MMwsuJ6ELnYPaeFosj/xWSgedP1+KXAERD9Doi1R5u0AhMwh9
YP4o1aRUO/c+uuADVYUn
=Ooqn
-----END PGP SIGNATURE-----


Reply to: