oss-sec mailing list archives
Re: CVE request: apt
From: Jamie Strandboge <jamie () canonical com>
Date: Fri, 17 Apr 2009 11:19:01 -0500
On Wed, 08 Apr 2009, Jamie Strandboge wrote:
Summary ------- Systems in certain timezones with automatic updates enabled won't be upgraded on the first day of DST and some systems in affected timezones could end up with automatic updates being disabled permanently. Normal usage of apt is not affected.
In addition to my original request, can we have one more for this bug: https://launchpad.net/bugs/356012 "APT does not properly handle expired or revoked key signatures". This affects apt < 0.7.21. Basically, if a repository is signed with only a revoked or expired key, and gpgv reports VALIDSIG, apt considers it to be properly signed. apt should check for GOODSIG, not VALIDSIG. Patch is in the bug and this is already fixed in Debian sid and Ubuntu 9.04. Jamie -- Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE request: apt Jamie Strandboge (Apr 08)
- Re: CVE request: apt Jamie Strandboge (Apr 17)
- Re: CVE request: apt Steven M. Christey (Apr 21)
- Re: CVE request: apt Jamie Strandboge (Apr 17)