UNSUBSCRIBE!
----------------------------------------- > From: carnil@debian.org > To: debian-security-announce@lists.debian.org > Date: Thu, 18 Sep 2014 20:30:42 +0000 > Subject: [SECURITY] [DSA 3025-2] apt regression update > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > - ------------------------------------------------------------------------- > Debian Security Advisory DSA-3025-2 security@debian.org > http://www.debian.org/security/ Salvatore Bonaccorso > September 18, 2014 http://www.debian.org/security/faq > - ------------------------------------------------------------------------- > > Package : apt > Debian Bug : 762079 > > The previous update for apt, DSA-3025-1, introduced a regression when > file:/// sources are used and those are on a different partition than > the apt state directory. This update fixes the regression. > > For reference, the original advisory follows. > > It was discovered that APT, the high level package manager, does not > properly invalidate unauthenticated data (CVE-2014-0488), performs > incorrect verification of 304 replies (CVE-2014-0487), does not perform > the checksum check when the Acquire::GzipIndexes option is used > (CVE-2014-0489) and does not properly perform validation for binary > packages downloaded by the apt-get download command (CVE-2014-0490). > > For the stable distribution (wheezy), this problem has been fixed in > version 0.9.7.9+deb7u4. > > For the unstable distribution (sid), this problem has been fixed in > version 1.0.9.1. > > We recommend that you upgrade your apt packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: debian-security-announce@lists.debian.org > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBCgAGBQJUG0CmAAoJEAVMuPMTQ89EBM8P/2rKhZFYQZpbVVPkSd/97VcL > 6j6lmyEAgazAr0NEnrihOxDmU5DW96+WzUaA7GMoe2AW+eptjKDkTo7B6HM1WuR9 > VDwTsD8yRRSXHbzGEOa2b1OBTsWvdEQWHc/RIPhyiZ+JKETcvPdCA7ZItys5odch > +4u1xlJX876Oz+OJy206Q/knJhrZUypgT6cm7WUAPxm+UyIxxj7Mzt5EL9i5okdf > AppvyREbMou1XrU86nSKBGk4YZRkX8Eh2vPu9NiYLEn4eJs8SjuUV9OCr/QGVJxj > 8ElZ9Lhv0orsySUzIWZagqBcg+PPHiqzykbuYSvDdAgjB4aQAPwlHbDUFLtyappX > j5f9I4qGkmCbi7LXISScFopdzARWeObLIKxZe1C/jDjDoUNo81Hu7pSRWFvY6nar > 02R3rIxLbbmqDI9h6Xd4/i7DkyVZ4shyeWeivBJ4y3kY7OB+dUXn7AelKH920whO > 3P3GbXJM2iWPPAFqc0Du59HH8mmLr477n1RO7KtjyXR+3oCz+ikQ5dSqYSS4RDkt > Jwd5fyTr0U4C1ghZwLQMJsJ435i5PpqYnjrs+oRRjFWyX0cofblHCcEaa5UL9h2X > E4nKZ9YP5uHjU70b73Y7JiBAITv5/uB+9U5YBJNd4pftSTz8oocOtUwxdKM4tIg+ > Yq0GAPy1aQfab62HfVES > =IgUC > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > Archive: https://lists.debian.org/E1XUiLi-00039r-EO@master.debian.org > |