USN-762-1: APT vulnerabilities

Ubuntu Security Notice USN-762-1

20th April, 2009

apt vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 8.10
  • Ubuntu 8.04 LTS
  • Ubuntu 6.06 LTS

Software description

  • apt

Details

Alexandre Martani discovered that the APT daily cron script did not check
the return code of the date command. If a machine is configured for
automatic updates and is in a time zone where DST occurs at midnight, under
certain circumstances automatic updates might not be applied and could
become permanently disabled. (CVE-2009-1300)

Michael Casadevall discovered that APT did not properly verify repositories
signed with a revoked or expired key. If a repository were signed with only
an expired or revoked key and the signature was otherwise valid, APT would
consider the repository valid. (https://launchpad.net/bugs/356012)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 8.10:
apt 0.7.14ubuntu6.1
Ubuntu 8.04 LTS:
apt 0.7.9ubuntu17.2
Ubuntu 6.06 LTS:
apt 0.6.43.3ubuntu3.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the
necessary changes.

References

CVE-2009-1300, LP: 356012