[USN-762-1] APT vulnerabilities
Date: Mon, 20 Apr 2009 16:39:54 -0500
From: Jamie Strandboge <jamie@canonical.com.>
To: [email protected]
Subject: [USN-762-1] APT vulnerabilities
Message-ID: <20090420213953.GD1216@severus.strandboge.com.>
Reply-To: Ubuntu Security <security@ubuntu.com.>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="UFHRwCdBEJvubb2X"
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
X-Virus-Scanned: antivirus-gw at tyumen.ru
--UFHRwCdBEJvubb2X
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Ubuntu Security Notice USN-762-1 April 20, 2009
apt vulnerabilities
CVE-2009-1300, https://launchpad.net/bugs/356012
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
apt 0.6.43.3ubuntu3.1
Ubuntu 8.04 LTS:
apt 0.7.9ubuntu17.2
Ubuntu 8.10:
apt 0.7.14ubuntu6.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Alexandre Martani discovered that the APT daily cron script did not check
the return code of the date command. If a machine is configured for
automatic updates and is in a time zone where DST occurs at midnight, under
certain circumstances automatic updates might not be applied and could
become permanently disabled. (CVE-2009-1300)
Michael Casadevall discovered that APT did not properly verify repositories
signed with a revoked or expired key. If a repository were signed with only
an expired or revoked key and the signature was otherwise valid, APT would
consider the repository valid. (https://launchpad.net/bugs/356012)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt_0.6.43.3ubuntu3.1.dsc
Size/MD5: 815 7bd5e8e5e3ec2a595ac63b0deb39567d
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt_0.6.43.3ubuntu3.1.tar.gz
Size/MD5: 1635376 c112c3316f65f48161af677eca425b72
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt-doc_0.6.43.3ubuntu3.1_all.deb
Size/MD5: 88762 2d0f3301b4d8f7438ce1bab5211b7871
http://security.ubuntu.com/ubuntu/pool/main/a/apt/libapt-pkg-doc_0.6.43.3ubuntu3.1_all.deb
Size/MD5: 112106 ff1935f0c2eda8f7e64ef76e8b40a334
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt-utils_0.6.43.3ubuntu3.1_amd64.deb
Size/MD5: 198046 222247db4056f04c24cf59d58dd07921
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt_0.6.43.3ubuntu3.1_amd64.deb
Size/MD5: 1307286 847fea71df818d1e412f0fe4da4d97f4
http://security.ubuntu.com/ubuntu/pool/main/a/apt/libapt-pkg-dev_0.6.43.3ubuntu3.1_amd64.deb
Size/MD5: 82346 32cc1d14f0a800a04ea972ee9cc09c35
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt-utils_0.6.43.3ubuntu3.1_i386.deb
Size/MD5: 191824 c989fc79d1c333d32593d0a1e09e6c9e
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt_0.6.43.3ubuntu3.1_i386.deb
Size/MD5: 1286556 33a08ac01b3ea5ec98915c7775cbae78
http://security.ubuntu.com/ubuntu/pool/main/a/apt/libapt-pkg-dev_0.6.43.3ubuntu3.1_i386.deb
Size/MD5: 82354 58c6d1f177506db5f612766f86a39ae8
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt-utils_0.6.43.3ubuntu3.1_powerpc.deb
Size/MD5: 206120 05806cb94c0919cbabe7c36f568b95be
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt_0.6.43.3ubuntu3.1_powerpc.deb
Size/MD5: 1322236 a8a27eed2eaf45874ef60a94cd95338f
http://security.ubuntu.com/ubuntu/pool/main/a/apt/libapt-pkg-dev_0.6.43.3ubuntu3.1_powerpc.deb
Size/MD5: 82352 1242f8afa4f0ccd6ee1105c8eb2c8189
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt-utils_0.6.43.3ubuntu3.1_sparc.deb
Size/MD5: 185654 81fb8e314d9ce565b4701e2e70920e5d
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt_0.6.43.3ubuntu3.1_sparc.deb
Size/MD5: 1278136 78ed071c9ff6a1ef9c3b25f413cf09d8
http://security.ubuntu.com/ubuntu/pool/main/a/apt/libapt-pkg-dev_0.6.43.3ubuntu3.1_sparc.deb
Size/MD5: 82350 1ace0d5bc3069dd09b7482b9ee1224d4
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt_0.7.9ubuntu17.2.dsc
Size/MD5: 1077 734b2b18ef88ab07d2cbefc96d2ec7c6
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt_0.7.9ubuntu17.2.tar.gz
Size/MD5: 2059249 28110553cb73a97610fd4f594d05f825
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt-doc_0.7.9ubuntu17.2_all.deb
Size/MD5: 102388 4c24b3d50e788a6877a19b5351931724
http://security.ubuntu.com/ubuntu/pool/main/a/apt/libapt-pkg-doc_0.7.9ubuntu17.2_all.deb
Size/MD5: 126022 1536598ae1840d4a472b716ddac58675
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt-transport-https_0.7.9ubuntu17.2_amd64.deb
Size/MD5: 60922 334b1b59ccd8a30d7c4ffff2aaa11d2a
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt-utils_0.7.9ubuntu17.2_amd64.deb
Size/MD5: 201156 ffcdeb611993bb2e42b8882a3c8dd128
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt_0.7.9ubuntu17.2_amd64.deb
Size/MD5: 1661542 20ceb152039cfe106e9bd07883bb95ca
http://security.ubuntu.com/ubuntu/pool/main/a/apt/libapt-pkg-dev_0.7.9ubuntu17.2_amd64.deb
Size/MD5: 110742 15379525cd60139ff77a8ff3d73173c2
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt-transport-https_0.7.9ubuntu17.2_i386.deb
Size/MD5: 60572 a797ccfbb3cb6db64747279a81e97f5e
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt-utils_0.7.9ubuntu17.2_i386.deb
Size/MD5: 200662 d0684c82b7899bc8f0845882d4ec7ec5
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt_0.7.9ubuntu17.2_i386.deb
Size/MD5: 1651326 00509300a4d21a7363eeb18b088fe649
http://security.ubuntu.com/ubuntu/pool/main/a/apt/libapt-pkg-dev_0.7.9ubuntu17.2_i386.deb
Size/MD5: 110732 7002373bd97a2e7b7814c64e547a3dd7
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apt/apt-transport-https_0.7.9ubuntu17.2_lpia.deb
Size/MD5: 60604 efab6116797ebfcdd67e8e00e772ed2b
http://ports.ubuntu.com/pool/main/a/apt/apt-utils_0.7.9ubuntu17.2_lpia.deb
Size/MD5: 204976 63c8bdeff7bedcd35817715529f04763
http://ports.ubuntu.com/pool/main/a/apt/apt_0.7.9ubuntu17.2_lpia.deb
Size/MD5: 1661196 3c6e11a2b565ba9c61c952865ebd4d05
http://ports.ubuntu.com/pool/main/a/apt/libapt-pkg-dev_0.7.9ubuntu17.2_lpia.deb
Size/MD5: 110742 4f4fcb6a7ad98596d15103304036482b
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apt/apt-transport-https_0.7.9ubuntu17.2_powerpc.deb
Size/MD5: 63598 4eebb5cccf06f12ecd6c63752c0c1578
http://ports.ubuntu.com/pool/main/a/apt/apt-utils_0.7.9ubuntu17.2_powerpc.deb
Size/MD5: 223800 b92e7adf7c4778eb655074d758d81d7a
http://ports.ubuntu.com/pool/main/a/apt/apt_0.7.9ubuntu17.2_powerpc.deb
Size/MD5: 1741416 b0d2d4ac271d2a1dfff65620d69c5011
http://ports.ubuntu.com/pool/main/a/apt/libapt-pkg-dev_0.7.9ubuntu17.2_powerpc.deb
Size/MD5: 110738 985d6c3a5e2d428c23b20ad87e22fa98
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apt/apt-transport-https_0.7.9ubuntu17.2_sparc.deb
Size/MD5: 62628 939635e33e5114378f248fb905d699d4
http://ports.ubuntu.com/pool/main/a/apt/apt-utils_0.7.9ubuntu17.2_sparc.deb
Size/MD5: 210734 cb19c4960897279ca8070f8433f6c430
http://ports.ubuntu.com/pool/main/a/apt/apt_0.7.9ubuntu17.2_sparc.deb
Size/MD5: 1697440 3c338bbf986e77fe26aad92d418177f5
http://ports.ubuntu.com/pool/main/a/apt/libapt-pkg-dev_0.7.9ubuntu17.2_sparc.deb
Size/MD5: 110734 7a7e661a0893991b66129756a8e7ac62
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt_0.7.14ubuntu6.1.dsc
Size/MD5: 1301 a199f18a4c6d8f81e681d8b4717aca83
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt_0.7.14ubuntu6.1.tar.gz
Size/MD5: 2087028 d1a8a1a947b8ed32ae67ff2b1766972b
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt-doc_0.7.14ubuntu6.1_all.deb
Size/MD5: 105912 1156d043e305781cccfffabd350944a4
http://security.ubuntu.com/ubuntu/pool/main/a/apt/libapt-pkg-doc_0.7.14ubuntu6.1_all.deb
Size/MD5: 129694 6e37092150f9e78e08d87eed898b7fd3
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt-transport-https_0.7.14ubuntu6.1_amd64.deb
Size/MD5: 65050 ee5f86eb8d9491694e56e37af35ef795
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt-utils_0.7.14ubuntu6.1_amd64.deb
Size/MD5: 199386 6f7c5d095116ddcc7ecca423eeef6d36
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt_0.7.14ubuntu6.1_amd64.deb
Size/MD5: 1679816 1d94ef488c90eadd4b670f5018d55efa
http://security.ubuntu.com/ubuntu/pool/main/a/apt/libapt-pkg-dev_0.7.14ubuntu6.1_amd64.deb
Size/MD5: 113212 1b00bde13cd452887ad1a1c8b2dc194f
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt-transport-https_0.7.14ubuntu6.1_i386.deb
Size/MD5: 64352 fae78e897308809945047e35f0ae1fde
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt-utils_0.7.14ubuntu6.1_i386.deb
Size/MD5: 194720 f5d62c304ff4b311c0d728baf520dfcf
http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt_0.7.14ubuntu6.1_i386.deb
Size/MD5: 1671518 6d69e2e48da97da8bc8cfd44571e2dc7
http://security.ubuntu.com/ubuntu/pool/main/a/apt/libapt-pkg-dev_0.7.14ubuntu6.1_i386.deb
Size/MD5: 113224 418e77bde363f964972459af1f1901ef
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apt/apt-transport-https_0.7.14ubuntu6.1_lpia.deb
Size/MD5: 64506 8571fec494be7c33105aae9d61dfd278
http://ports.ubuntu.com/pool/main/a/apt/apt-utils_0.7.14ubuntu6.1_lpia.deb
Size/MD5: 198090 e0046bc9a04b33ebf4873b7820c9e4f6
http://ports.ubuntu.com/pool/main/a/apt/apt_0.7.14ubuntu6.1_lpia.deb
Size/MD5: 1683654 d73988711f6c3004ea6798a43212c5d4
http://ports.ubuntu.com/pool/main/a/apt/libapt-pkg-dev_0.7.14ubuntu6.1_lpia.deb
Size/MD5: 113218 37846a44f405cebdd8b397a0a0df83b7
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apt/apt-transport-https_0.7.14ubuntu6.1_powerpc.deb
Size/MD5: 66804 22d1c770a9797eb078be75cfb739bcb3
http://ports.ubuntu.com/pool/main/a/apt/apt-utils_0.7.14ubuntu6.1_powerpc.deb
Size/MD5: 214368 4bfba90ea5b562181159a0ecc017d89c
http://ports.ubuntu.com/pool/main/a/apt/apt_0.7.14ubuntu6.1_powerpc.deb
Size/MD5: 1750934 679a4b4f110d764313cb1b0e9eb6b3cb
http://ports.ubuntu.com/pool/main/a/apt/libapt-pkg-dev_0.7.14ubuntu6.1_powerpc.deb
Size/MD5: 113232 f8a9901e860cf56639af7caebca9c94c
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apt/apt-transport-https_0.7.14ubuntu6.1_sparc.deb
Size/MD5: 66208 7924ea4b95710fd51e637a159cb9de11
http://ports.ubuntu.com/pool/main/a/apt/apt-utils_0.7.14ubuntu6.1_sparc.deb
Size/MD5: 198350 85c7421f00b5aef8475ea79a9149212f
http://ports.ubuntu.com/pool/main/a/apt/apt_0.7.14ubuntu6.1_sparc.deb
Size/MD5: 1689062 2bb88bdd6d0a4531331796f89308d59b
http://ports.ubuntu.com/pool/main/a/apt/libapt-pkg-dev_0.7.14ubuntu6.1_sparc.deb
Size/MD5: 113214 e568d25da02b2af9378eb95106ca0272
--UFHRwCdBEJvubb2X
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkns66kACgkQW0JvuRdL8Bo96QCgnE5t9wJtxK6JB+xak8JSSceI
utkAoIZ/3NU98cYt9JPo/+PfM5VvDoM2
=WV4P
-----END PGP SIGNATURE-----
--UFHRwCdBEJvubb2X--