USN-762-1: APT vulnerabilities

20 April 2009

apt vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 8.10
  • Ubuntu 8.04 LTS
  • Ubuntu 6.06 LTS

Software Description

  • apt

Details

Alexandre Martani discovered that the APT daily cron script did not check the return code of the date command. If a machine is configured for automatic updates and is in a time zone where DST occurs at midnight, under certain circumstances automatic updates might not be applied and could become permanently disabled. (CVE-2009-1300)

Michael Casadevall discovered that APT did not properly verify repositories signed with a revoked or expired key. If a repository were signed with only an expired or revoked key and the signature was otherwise valid, APT would consider the repository valid. (https://launchpad.net/bugs/356012)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 8.10
apt - 0.7.14ubuntu6.1
Ubuntu 8.04 LTS
apt - 0.7.9ubuntu17.2
Ubuntu 6.06 LTS
apt - 0.6.43.3ubuntu3.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the necessary changes.

References