Debian Long Term Support / LTS Security Information / 2014 / Security Information -- DLA-0005-1 apt

Debian Security Advisory

DLA-0005-1 apt -- LTS security update

Date Reported:

12 Jun 2014

Affected Packages:

apt

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 749795.
In Mitre's CVE dictionary: CVE-2011-3634, CVE-2014-0478.

More information:

Jakub Wilk discovered that APT, the high level package manager, did not properly perform authentication checks for source packages downloaded via "apt-get source". This only affects use cases where source packages are downloaded via this command; it does not affect regular Debian package installation and upgrading. (CVE-2014-0478)

It was discovered that APT incorrectly handled the Verify-Host configuration option. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to steal repository credentials. This only relevant for systems that use APT sources on https connections (requires the apt-transport-https package to be installed). (CVE-2011-3634)

For Debian 6 Squeeze, these issues have been fixed in apt version 0.8.10.3+squeeze2