Debian Security Advisory
DSA-3048-1 apt -- security update
- Date Reported:
- 08 Oct 2014
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 763780.
In Mitre's CVE dictionary: CVE-2014-7206.
- More information:
Guillem Jover discovered that the changelog retrieval functionality in apt-get used temporary files in an insecure way, allowing a local user to cause arbitrary files to be overwritten.
This vulnerability is neutralized by the fs.protected_symlinks setting in the Linux kernel, which is enabled by default in Debian 7 Wheezy and up.
For the stable distribution (wheezy), this problem has been fixed in version 0.9.7.9+deb7u6.
For the unstable distribution (sid), this problem has been fixed in version 18.104.22.168.
We recommend that you upgrade your apt packages.