USN-762-1: APT vulnerabilities

Ubuntu Security Notice USN-762-1

20th April, 2009

apt vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 8.10
  • Ubuntu 8.04 LTS
  • Ubuntu 6.06 LTS

Software description

  • apt


Alexandre Martani discovered that the APT daily cron script did not check
the return code of the date command. If a machine is configured for
automatic updates and is in a time zone where DST occurs at midnight, under
certain circumstances automatic updates might not be applied and could
become permanently disabled. (CVE-2009-1300)

Michael Casadevall discovered that APT did not properly verify repositories
signed with a revoked or expired key. If a repository were signed with only
an expired or revoked key and the signature was otherwise valid, APT would
consider the repository valid. (

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 8.10:
apt 0.7.14ubuntu6.1
Ubuntu 8.04 LTS:
apt 0.7.9ubuntu17.2
Ubuntu 6.06 LTS:

To update your system, please follow these instructions:

In general, a standard system upgrade is sufficient to effect the
necessary changes.


CVE-2009-1300, LP: 356012