Bug#749795: holes in secure apt

To: Christoph Anton Mitterer <calestyo@scientia.net>
Cc: 749795@bugs.debian.org, debian-devel@lists.debian.org, team@security.debian.org
Subject: Bug#749795: holes in secure apt
From: Joey Hess <joeyh@debian.org>
Date: Thu, 12 Jun 2014 00:07:38 -0400
Message-id: <[🔎] 20140612040738.GA20494@kitenet.net>
Mail-followup-to: Christoph Anton Mitterer <calestyo@scientia.net>, 749795@bugs.debian.org, debian-devel@lists.debian.org, team@security.debian.org
Reply-to: Joey Hess <joeyh@debian.org>, 749795@bugs.debian.org
In-reply-to: <[🔎] 1402527988.4739.34.camel@heisenberg.scientia.net>
References: <[🔎] 1402527988.4739.34.camel@heisenberg.scientia.net>

Christoph Anton Mitterer wrote:
> reopen 749795
> I'm reopening this for now, even if the issue is solved from a technical
> point of view (see below why).

AAICS, #749795 talked about bringing this to the security team's
attention, but they never seem to have been CCed.

So the security team may not be aware that a security hole in apt was
recently fixed, that caused apt-get source to not give any indication
when the Release file was lacking a signature.

Whether it's closed in unstable or not, this bug is open still in
stable, and needs to get a CVE assigned, and a DSA issued.

-- 
see shy jo

Reply to:

References:
- Bug#749795: holes in secure apt
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Processed: holes in secure apt
Next by Date: Processed: found 749795 in 0.9.7.9+deb7u1
Previous by thread: Processed: holes in secure apt
Next by thread: Bug#749795: holes in secure apt
Index(es):
- Date
- Thread