Security Information / 2014 / Security Information -- DSA-3031-1 apt

Debian Security Advisory

DSA-3031-1 apt -- security update

Date Reported:

23 Sep 2014

Affected Packages:

apt

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-6273.

More information:

The Google Security Team discovered a buffer overflow vulnerability in the HTTP transport code in apt-get. An attacker able to man-in-the-middle a HTTP request to an apt repository can trigger the buffer overflow, leading to a crash of the http apt method binary, or potentially to arbitrary code execution.

Two regression fixes were included in this update:

• Fix regression from the previous update in DSA-3025-1 when the custom apt configuration option for Dir::state::lists is set to a relative path (#762160).

• Fix regression in the reverification handling of cdrom: sources that may lead to incorrect hashsum warnings. Affected users need to run "apt-cdrom add" again after the update was applied.

For the stable distribution (wheezy), this problem has been fixed in version 0.9.7.9+deb7u5.

We recommend that you upgrade your apt packages.