Debian Long Term Support / LTS Security Information / 2020 / Security Information -- DLA-2210-1 apt

Debian Security Advisory

DLA-2210-1 apt -- LTS security update

Date Reported:

15 May 2020

Affected Packages:

apt

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2020-3810.

More information:

When normalizing ar member names by removing trailing whitespace and slashes, an out-out-bound read can be caused if the ar member name consists only of such characters, because the code did not stop at 0, but would wrap around and continue reading from the stack, without any limit.

For Debian 8 Jessie, this problem has been fixed in version 1.0.9.8.6.

We recommend that you upgrade your apt packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS