Bug 35948

Summary: apt: Multiple issues (3.2)
Product: UCS Reporter: Moritz Muehlenhoff <jmm>
Component: Security updatesAssignee: Janek Walkenhorst <walkenhorst>
Status: CLOSED FIXED QA Contact: Philipp Hahn <hahn>
Severity: normal    
Priority: P1 CC: gohmann
Version: UCS 3.2   
Target Milestone: UCS 3.2-3-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 35969    

Description Moritz Muehlenhoff univentionstaff 2014-09-17 12:06:01 CEST 
Multiple issues have been found in the implementation of Secure Apt:

Incorrect handling of 304 replies (CVE-2014-0487)
Incorrect invalidation when switching between authenticated and unauthenticated sources (CVE-2014-0488)
Missing verification when using Acquire::Gzip indexes (CVE-2014-0489)

One issue (CVE-2014-0490) doesn't apply to UCS 3.2, the affected code isn't present yet.
Comment 1 Janek Walkenhorst univentionstaff 2014-09-17 19:04:38 CEST 
Advisory: 2014-09-17-apt.yaml
Tests (amd64): OK
Comment 2 Philipp Hahn univentionstaff 2014-09-18 10:31:23 CEST 
OK: r13584 r13585
OK: diff -U 3.1-0-0-ucs/0.8.10.3+squeeze1 3.2-0-0-ucs/0.8.10.3+squeeze3-errata3.2-3

OK: apt-cache policy apt # 0.8.10.3.60.201409171430
OK: apt-get upgrade # amd64
OK: zless /usr/share/doc/apt/changelog.gz
OK: aptitude install '?source-package(apt)?installed' # i386
OK: apt-get update ; apt-get upgrade ; apt-get dist-upgrade

OK: r53744
OK: /usr/sbin/announce_errata -V ~/GIT/branches/ucs-3.2/ucs-3.2-3/doc/errata/staging/2014-09-17-apt.yaml
Comment 3 Moritz Muehlenhoff univentionstaff 2014-09-19 09:49:48 CEST 
A regression was found in the initial fix:
https://lists.debian.org/debian-security-announce/2014/msg00216.html
Comment 4 Janek Walkenhorst univentionstaff 2014-09-19 16:35:17 CEST 
(In reply to Moritz Muehlenhoff from comment #3)
> A regression was found in the initial fix:
> https://lists.debian.org/debian-security-announce/2014/msg00216.html

Added 30_CVE-2014-0487_regression.patch
Updated 2014-09-17-apt.yaml

Tests (amd64): OK
Comment 5 Philipp Hahn univentionstaff 2014-09-19 17:04:48 CEST 
OK: r13587

OK: apt-cache policy apt # 0.8.10.3.61.201409191614
OK: aptitude install '?source-package(apt)?installed'
OK: zless /usr/share/doc/apt/changelog.gz
   30_CVE-2014-0487_regression
OK: apt-get update ; apt-get upgrade ; apt-get dist-upgrade

OK: announce_errata -V 2014-09-17-apt.yaml
OK: 2014-09-17-apt.yaml

NOT-CHECKED: ucr set repository/online/unmaintained=yes repository/online/sources=yes update/secure_apt=no ; apt-get update ; apt-get install dpkg-dev ; apt-get source apt ; apt-get build-dep apt ; apt-0.8.10.3.61.201409191614/test/integration/test-apt-update-file
Comment 6 Janek Walkenhorst univentionstaff 2014-09-19 17:57:06 CEST 
http://errata.univention.de/ucs/3.2/209.html