Univention Bugzilla – Bug 35948
apt: Multiple issues (3.2)
Last modified: 2014-09-22 06:36:18 CEST
Multiple issues have been found in the implementation of Secure Apt: Incorrect handling of 304 replies (CVE-2014-0487) Incorrect invalidation when switching between authenticated and unauthenticated sources (CVE-2014-0488) Missing verification when using Acquire::Gzip indexes (CVE-2014-0489) One issue (CVE-2014-0490) doesn't apply to UCS 3.2, the affected code isn't present yet.
Advisory: 2014-09-17-apt.yaml Tests (amd64): OK
OK: r13584 r13585 OK: diff -U 3.1-0-0-ucs/0.8.10.3+squeeze1 3.2-0-0-ucs/0.8.10.3+squeeze3-errata3.2-3 OK: apt-cache policy apt # 0.8.10.3.60.201409171430 OK: apt-get upgrade # amd64 OK: zless /usr/share/doc/apt/changelog.gz OK: aptitude install '?source-package(apt)?installed' # i386 OK: apt-get update ; apt-get upgrade ; apt-get dist-upgrade OK: r53744 OK: /usr/sbin/announce_errata -V ~/GIT/branches/ucs-3.2/ucs-3.2-3/doc/errata/staging/2014-09-17-apt.yaml
A regression was found in the initial fix: https://lists.debian.org/debian-security-announce/2014/msg00216.html
(In reply to Moritz Muehlenhoff from comment #3) > A regression was found in the initial fix: > https://lists.debian.org/debian-security-announce/2014/msg00216.html Added 30_CVE-2014-0487_regression.patch Updated 2014-09-17-apt.yaml Tests (amd64): OK
OK: r13587 OK: apt-cache policy apt # 0.8.10.3.61.201409191614 OK: aptitude install '?source-package(apt)?installed' OK: zless /usr/share/doc/apt/changelog.gz 30_CVE-2014-0487_regression OK: apt-get update ; apt-get upgrade ; apt-get dist-upgrade OK: announce_errata -V 2014-09-17-apt.yaml OK: 2014-09-17-apt.yaml NOT-CHECKED: ucr set repository/online/unmaintained=yes repository/online/sources=yes update/secure_apt=no ; apt-get update ; apt-get install dpkg-dev ; apt-get source apt ; apt-get build-dep apt ; apt-0.8.10.3.61.201409191614/test/integration/test-apt-update-file
http://errata.univention.de/ucs/3.2/209.html