Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Apr 2009 11:19:01 -0500
From: Jamie Strandboge <>
Subject: Re: CVE request: apt

On Wed, 08 Apr 2009, Jamie Strandboge wrote:

> Summary
> -------
> Systems in certain timezones with automatic updates enabled won't be
> upgraded on the first day of DST and some systems in affected timezones
> could end up with automatic updates being disabled permanently. Normal
> usage of apt is not affected.

In addition to my original request, can we have one more for this bug:

"APT does not properly handle expired or revoked key signatures". This
affects apt < 0.7.21.

Basically, if a repository is signed with only a revoked or expired key,
and gpgv reports VALIDSIG, apt considers it to be properly signed. apt
should check for GOODSIG, not VALIDSIG. Patch is in the bug and this is
already fixed in Debian sid and Ubuntu 9.04.


Jamie Strandboge             |

Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.