Debian Security Advisory
DSA-1394-1 reprepro -- authentication bypass
- Date Reported:
- 23 Oct 2007
- Affected Packages:
- reprepro
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 440535.
In Mitre's CVE dictionary: CVE-2007-4739. - More information:
-
It was discovered that reprepro, a tool to create a repository of Debian packages, only checks the validity of known signatures when updating from a remote site, and thus does not reject packages with only unknown signatures. This allows an attacker to bypass this authentication mechanism.
The oldstable distribution (sarge) is not affected by this problem.
For the stable distribution (etch) this problem has been fixed in version 1.3.1+1-1.
For the unstable distribution (sid) this problem has been fixed in version 2.2.4-1.
We recommend that you upgrade your reprepro package.
- Fixed in:
-
Debian GNU/Linux 4.0 (etch)
- Source:
- http://security.debian.org/pool/updates/main/r/reprepro/reprepro_1.3.1+1-1.dsc
- http://security.debian.org/pool/updates/main/r/reprepro/reprepro_1.3.1+1-1.diff.gz
- http://security.debian.org/pool/updates/main/r/reprepro/reprepro_1.3.1+1.orig.tar.gz
- http://security.debian.org/pool/updates/main/r/reprepro/reprepro_1.3.1+1-1.diff.gz
- Alpha:
- http://security.debian.org/pool/updates/main/r/reprepro/reprepro_1.3.1+1-1_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/r/reprepro/reprepro_1.3.1+1-1_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/r/reprepro/reprepro_1.3.1+1-1_arm.deb
- HPPA:
- http://security.debian.org/pool/updates/main/r/reprepro/reprepro_1.3.1+1-1_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/r/reprepro/reprepro_1.3.1+1-1_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/r/reprepro/reprepro_1.3.1+1-1_ia64.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/r/reprepro/reprepro_1.3.1+1-1_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/r/reprepro/reprepro_1.3.1+1-1_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/r/reprepro/reprepro_1.3.1+1-1_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/r/reprepro/reprepro_1.3.1+1-1_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/r/reprepro/reprepro_1.3.1+1-1_sparc.deb
MD5 checksums of the listed files are available in the original advisory.