Debian Bug report logs -
#523213
/etc/cron.daily/apt does not check return code of date
Reported by: Jamie Strandboge <jamie@ubuntu.com>
Date: Wed, 8 Apr 2009 22:42:01 UTC
Severity: grave
Tags: patch, security
Found in version apt/0.7.20.2
Fixed in versions 0.7.21, apt/0.7.20.2+lenny1, apt/0.6.46.4-0.1+etch4, apt/0.7.20.2+squeeze1
Done: Michael Vogt <mvo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, APT Development Team <deity@lists.debian.org>:
Bug#523213; Package apt.
(Wed, 08 Apr 2009 22:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jamie Strandboge <jamie@ubuntu.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, APT Development Team <deity@lists.debian.org>.
(Wed, 08 Apr 2009 22:42:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: apt
Version: 0.7.20.2
Severity: grave
Tags: security patch
Justification: user security hole
The following is also being sent to oss-security@lists.openwall.com for
a CVE request.
Summary
-------
Systems in certain timezones with automatic updates enabled won't be
upgraded on the first day of DST and some systems in affected timezones
could end up with automatic updates being disabled permanently. Normal
usage of apt is not affected.
Discovery credited to: Alexandre Martani
Public bug: https://launchpad.net/bugs/354793
The Problem
-----------
The problem arises because the date command errors out on dates/times
that are invalid. Eg, DST starts at 03:00 in the Central time zone of
the US:
$ date --date="2009-03-08 02:00:00"
date: invalid date `2009-03-08 02:00:00'
This is fine and in and of itself not a problem. However,
/etc/cron.daily/apt has:
stamp=$(date --date=$(date -r $stamp --iso-8601) +%s)
now=$(date --date=$(date --iso-8601) +%s)
'--iso-8601' creates dates of the form YYYY-MM-DD. Since this is then
fed into the date command, the hour, minute and second all default to
0. Some timezones start their DST at midnight, with America/Sao_Paulo as
one example. Eg, on a system configured to use the America/Sao_Paulo
timezone:
$ date --date=2009-10-18
date: invalid date `2009-10-18'
This condition causes 'delta=$(($now-$stamp))' in check_stamp() to fail
when $stamp is empty (returning non-zero) or for when $now is empty,
'$delta -ge $interval' evaluates to false because delta is negative
(return non-zero). Either condition results in all or part of the
automatic update process to not be performed.
Affected Users
--------------
For users in timezones with DST starting at midnight with automatic
updates enabled, this can lead to the following error conditions:
1. /etc/cron.daily/apt is run on the first day of the DST, resulting in
'$delta -ge $interval' being negative because 'now' is empty and the
automatic update is not run. The timestamps are not updated, so the
automatic update will occur normally the following day.
2. /etc/cron.daily/apt is run late in the day on the day prior to DST
(eg 23:59 on 2009-10-17) and finishes on the day of DST (eg one minute
later, at 01:00 on 2009-10-18). This will update the stamp files to have
the date of the DST. At this point, apt cannot recover and automatic
updates are disabled until manually updating/removing the stamp files.
3. A user using a non-affected timezone and has /etc/cron.daily/apt run
normally on the day of the DST. Sometime after that, but before
/etc/cron.daily/apt runs again, the user changes her timezone to an
affected timezone. At this point, apt cannot recover and automatic
updates are disabled until manually updating/removing the stamp files.
While all users in scenario '1' are affected, they will eventually get
their updates. Though the number of users in '2' and especially '3' are
presumed low, the impact for these users is very high, since the
expected, automatic security updates will never be applied.
The Fix
-------
The fix is simply to check the return codes of date, and return '0' if
the date for 'now' fails, and remove the bad stamp file and return '0'
if the date for 'stamp' fails. A patch is attached to the Ubuntu bug,
though I have contacted the Debian and Ubuntu maintainer directly and he
is working on an update for the development releases of Debian and
Ubuntu.
Thanks,
Jamie
-- Package-specific info:
-- (no /etc/apt/preferences present) --
-- (/etc/apt/sources.list present, but not submitted) --
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.28-11-generic (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages apt depends on:
ii debian-archive-keyring 2009.01.31 GnuPG archive keys of the Debian a
ii libc6 2.9-7 GNU C Library: Shared libraries
ii libgcc1 1:4.3.3-5 GCC support library
ii libstdc++6 4.3.3-5 The GNU Standard C++ Library v3
apt recommends no packages.
Versions of packages apt suggests:
pn apt-doc <none> (no description available)
pn aptitude | synaptic | gnome-a <none> (no description available)
ii bzip2 1.0.5-1 high-quality block-sorting file co
ii dpkg-dev 1.14.25 Debian package development tools
ii lzma 4.43-14 Compression method of 7z format in
pn python-apt <none> (no description available)
-- no debconf information
[354793_v2.patch (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#523213; Package apt.
(Thu, 09 Apr 2009 07:36:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Vogt <mvo@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>.
(Thu, 09 Apr 2009 07:36:07 GMT) (full text, mbox, link).
Message #10 received at 523213@bugs.debian.org (full text, mbox, reply):
On Wed, Apr 08, 2009 at 05:39:37PM -0500, Jamie Strandboge wrote:
> Package: apt
> Version: 0.7.20.2
> Severity: grave
> Tags: security patch
> Justification: user security hole
[..]
Thanks for the bugreport and the patch. I merged the patch into the
debian-sid bzr branch.
Cheers,
Michael
Reply sent
to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(Thu, 16 Apr 2009 18:45:06 GMT) (full text, mbox, link).
Notification sent
to Jamie Strandboge <jamie@ubuntu.com>:
Bug acknowledged by developer.
(Thu, 16 Apr 2009 18:45:06 GMT) (full text, mbox, link).
Message #15 received at 523213-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 0.7.21
According to the bug- and changelog, this has been fixed in the recent 0.7.21
upload:
[ Jamie Strandboge ]
* apt.cron.daily: catch invalid dates due to DST time changes
in the stamp files
cheers,
Thijs
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#523213; Package apt.
(Sat, 18 Apr 2009 11:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>.
(Sat, 18 Apr 2009 11:09:02 GMT) (full text, mbox, link).
Message #20 received at 523213@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
This is CVE-2009-1300.
Please add it in the relevant package changelog.
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Michael Vogt <mvo@debian.org>:
You have taken responsibility.
(Sat, 02 May 2009 13:57:10 GMT) (full text, mbox, link).
Notification sent
to Jamie Strandboge <jamie@ubuntu.com>:
Bug acknowledged by developer.
(Sat, 02 May 2009 13:57:10 GMT) (full text, mbox, link).
Message #25 received at 523213-close@bugs.debian.org (full text, mbox, reply):
Source: apt
Source-Version: 0.7.20.2+lenny1
We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive:
apt-doc_0.7.20.2+lenny1_all.deb
to pool/main/a/apt/apt-doc_0.7.20.2+lenny1_all.deb
apt-transport-https_0.7.20.2+lenny1_i386.deb
to pool/main/a/apt/apt-transport-https_0.7.20.2+lenny1_i386.deb
apt-utils_0.7.20.2+lenny1_i386.deb
to pool/main/a/apt/apt-utils_0.7.20.2+lenny1_i386.deb
apt_0.7.20.2+lenny1.dsc
to pool/main/a/apt/apt_0.7.20.2+lenny1.dsc
apt_0.7.20.2+lenny1.tar.gz
to pool/main/a/apt/apt_0.7.20.2+lenny1.tar.gz
apt_0.7.20.2+lenny1_i386.deb
to pool/main/a/apt/apt_0.7.20.2+lenny1_i386.deb
libapt-pkg-dev_0.7.20.2+lenny1_i386.deb
to pool/main/a/apt/libapt-pkg-dev_0.7.20.2+lenny1_i386.deb
libapt-pkg-doc_0.7.20.2+lenny1_all.deb
to pool/main/a/apt/libapt-pkg-doc_0.7.20.2+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 523213@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Vogt <mvo@debian.org> (supplier of updated apt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 19 Apr 2009 21:23:46 +0200
Source: apt
Binary: apt apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source all i386
Version: 0.7.20.2+lenny1
Distribution: stable-security
Urgency: high
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Michael Vogt <mvo@debian.org>
Description:
apt - Advanced front-end for dpkg
apt-doc - Documentation for APT
apt-transport-https - APT https transport
apt-utils - APT utility programs
libapt-pkg-dev - Development files for APT's libapt-pkg and libapt-inst
libapt-pkg-doc - Documentation for APT development
Closes: 433091 523213
Changes:
apt (0.7.20.2+lenny1) stable-security; urgency=high
.
* debian/apt.cron.daily:
- fix possible DST timestamp releated auto-update problem
(CVE-2009-1300, closes: #523213)
* methods/gpgv.cc:
- properly check for expired and revoked keys (closes: #433091)
Checksums-Sha1:
80d7d53646c2e3fd3604b7d6dc507fb68ed6357d 1540 apt_0.7.20.2+lenny1.dsc
bdb5687a0ade523d395da3bf21bddfb5ebb31f9a 2043258 apt_0.7.20.2+lenny1.tar.gz
07f88ed68e5d5576e8ab28e2bec144f74147be68 102110 apt-doc_0.7.20.2+lenny1_all.deb
3a1590b2a583928cb1f2bac9f7e150e69e2db562 125292 libapt-pkg-doc_0.7.20.2+lenny1_all.deb
10c8643be9c1725f266349f8ec9cb16afffedb0b 1639116 apt_0.7.20.2+lenny1_i386.deb
ef2602d7b81295cc70f0f3fec01837d493f1f848 107586 libapt-pkg-dev_0.7.20.2+lenny1_i386.deb
d0acf24212f4ae67bc5259cbb009c23f95274115 188158 apt-utils_0.7.20.2+lenny1_i386.deb
aef12bbd95a37b1a1e2870ab0ba78be769d5b800 58824 apt-transport-https_0.7.20.2+lenny1_i386.deb
Checksums-Sha256:
1d2459ddfcf220064412b4053ea9248c0107c8800710852372abba6e97f2bbad 1540 apt_0.7.20.2+lenny1.dsc
fd8091400ab45b24950211dd22f1a26457adbd4e37a9d13923aed57e8a9c5269 2043258 apt_0.7.20.2+lenny1.tar.gz
2b8e00bcc16992d5df403c67e27e0d89b97ea49b5febde5a50f20846e10db8d8 102110 apt-doc_0.7.20.2+lenny1_all.deb
e5be5ac36657d1e52d4c6b7124f5c0a8f874e27b37112f9599d5ad3a1e8fe6de 125292 libapt-pkg-doc_0.7.20.2+lenny1_all.deb
0c376bf8208292c3b1100a61e40adab95501d2f7cc2e6cabbd70643cfb70f733 1639116 apt_0.7.20.2+lenny1_i386.deb
2f7a1a8903aac858d4dc23bb483948c6ee0849a296a9cf6cf8030ee77572c45c 107586 libapt-pkg-dev_0.7.20.2+lenny1_i386.deb
5a75db904448e43a0713b68622f90fbb2ab87c7468fee5a67eeb39ce43075bb0 188158 apt-utils_0.7.20.2+lenny1_i386.deb
e04bd88a41f174bff59e5b8227fdaeb0903c1537459ffdaeb5ed31d17e4d366a 58824 apt-transport-https_0.7.20.2+lenny1_i386.deb
Files:
60e740d25e23101d5f7a9c90b90ee698 1540 admin important apt_0.7.20.2+lenny1.dsc
c23dc4256af67c1644a9dbc5ae0115c8 2043258 admin important apt_0.7.20.2+lenny1.tar.gz
099c1c85cb08d668e9e4668516ebc763 102110 doc optional apt-doc_0.7.20.2+lenny1_all.deb
68c3671fa441778e16dbbe838cc893e5 125292 doc optional libapt-pkg-doc_0.7.20.2+lenny1_all.deb
f2021728f2e92ffe32f7eb1bdc2d6231 1639116 admin important apt_0.7.20.2+lenny1_i386.deb
e5ac47a6a1892c8ae12b0c25136b163d 107586 libdevel optional libapt-pkg-dev_0.7.20.2+lenny1_i386.deb
a0f4a903e2fc11d9d6535d310e7f5a9e 188158 admin important apt-utils_0.7.20.2+lenny1_i386.deb
68cbda40b139645b347d3168e09c722b 58824 admin optional apt-transport-https_0.7.20.2+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJJ7NNGAAoJECIIoQCMVaAcWmYIAIxLk0Hbhs9eOAt4asY5U4/g
8Brl5T2Fj+W7QB9sclmohdsejy6sVqPB34Wxscfdff1EacVMv2ZeLPWiQmx1GaEV
T5LiMlxbDMAhyVYnRRfKqLiguH0zXbZOc8wfehe2l1Lk8WzHpfJ2KBxPaAHBnyKC
atpd4rSutNPfyF+8uV9oD5/PqmdSecFrO56hw3rrVNTJiOO+YAjtZDn+cwPRm+Er
ldxzn1fTbT7g4IwwUVab93TeZxSbQqYjZbiI9Dgm5Y7pPnJJnHHVN+spUnYGdpvM
dVwU5LnULsc1GqHoovsXzcmZYVHx5b+7Ve1Y4MosG6rJogGrPQLRb3Lk6vqoDt8=
=i8fJ
-----END PGP SIGNATURE-----
Reply sent
to Michael Vogt <mvo@debian.org>:
You have taken responsibility.
(Sat, 02 May 2009 20:00:18 GMT) (full text, mbox, link).
Notification sent
to Jamie Strandboge <jamie@ubuntu.com>:
Bug acknowledged by developer.
(Sat, 02 May 2009 20:00:18 GMT) (full text, mbox, link).
Message #30 received at 523213-close@bugs.debian.org (full text, mbox, reply):
Source: apt
Source-Version: 0.6.46.4-0.1+etch4
We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive:
apt-doc_0.6.46.4-0.1+etch4_all.deb
to pool/main/a/apt/apt-doc_0.6.46.4-0.1+etch4_all.deb
apt-utils_0.6.46.4-0.1+etch4_i386.deb
to pool/main/a/apt/apt-utils_0.6.46.4-0.1+etch4_i386.deb
apt_0.6.46.4-0.1+etch4.dsc
to pool/main/a/apt/apt_0.6.46.4-0.1+etch4.dsc
apt_0.6.46.4-0.1+etch4.tar.gz
to pool/main/a/apt/apt_0.6.46.4-0.1+etch4.tar.gz
apt_0.6.46.4-0.1+etch4_i386.deb
to pool/main/a/apt/apt_0.6.46.4-0.1+etch4_i386.deb
libapt-pkg-dev_0.6.46.4-0.1+etch4_i386.deb
to pool/main/a/apt/libapt-pkg-dev_0.6.46.4-0.1+etch4_i386.deb
libapt-pkg-doc_0.6.46.4-0.1+etch4_all.deb
to pool/main/a/apt/libapt-pkg-doc_0.6.46.4-0.1+etch4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 523213@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Vogt <mvo@debian.org> (supplier of updated apt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 19 Apr 2009 21:06:46 +0200
Source: apt
Binary: apt-utils libapt-pkg-doc libapt-pkg-dev apt-doc apt
Architecture: source all i386
Version: 0.6.46.4-0.1+etch4
Distribution: oldstable-security
Urgency: high
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Michael Vogt <mvo@debian.org>
Description:
apt - Advanced front-end for dpkg
apt-doc - Documentation for APT
apt-utils - APT utility programs
libapt-pkg-dev - Development files for APT's libapt-pkg and libapt-inst
libapt-pkg-doc - Documentation for APT development
Closes: 433091 523213
Changes:
apt (0.6.46.4-0.1+etch4) oldstable-security; urgency=high
.
* debian/apt.cron.daily:
- fix possible DST timestap releated auto-update problem
(CVE-2009-1300, closes: #523213)
* methods/gpgv.cc:
- properly check for expired and revoked keys (closes: #433091)
Files:
c631100edac082afe2dddb28030ed6ff 1108 admin important apt_0.6.46.4-0.1+etch4.dsc
e6eaebb8a12f5243668ca56e65c8c71e 1798703 admin important apt_0.6.46.4-0.1+etch4.tar.gz
999f34683b7cb7818258ac1ebfca701c 89752 doc optional apt-doc_0.6.46.4-0.1+etch4_all.deb
b91e59e2e1093ecbe387ccc7e8111d73 112248 doc optional libapt-pkg-doc_0.6.46.4-0.1+etch4_all.deb
73f115b27de4fdf11af97e2b5afca613 1438190 admin important apt_0.6.46.4-0.1+etch4_i386.deb
6aa9a63c060eb0461b66f67e35ed20c7 84166 libdevel optional libapt-pkg-dev_0.6.46.4-0.1+etch4_i386.deb
7245c5ea84b1c4eefa816af20868a794 198392 admin important apt-utils_0.6.46.4-0.1+etch4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJJ7ZDZAAoJECIIoQCMVaAcYgQH+wXRkiChxfmz1vuiqDe1yx/K
a5T5c+zb/mrY1Q3M0zh/p0sB9xmE6XBC9c4UYEX3qLS/V0PJ4eND1DHyT8qBtm67
mB2G/+U0MDFB607l5vCIstSchgJP9XTLA7cdvTudQCgEihYhvXpySSzHNPcn+WHv
Bb5fTvcERQ7zVfjFv2tySyn/y5dwssqf0dwm625NuYc75oD1eVHZ+vpX1WVMHI4K
795kdmDE7X0/vbg0P6CIZn4xRo1P/JLuhzZt1f7facB0mCLnHphHKhB2e7vBHECu
OPqW9ryZsPDD34Zs/v0UPosYqFOwyrY8JMyJQog2/VljHqhAVB1/A4aZShLuwIw=
=9jPa
-----END PGP SIGNATURE-----
Reply sent
to Nico Golde <nion@debian.org>:
You have taken responsibility.
(Wed, 06 May 2009 12:33:22 GMT) (full text, mbox, link).
Notification sent
to Jamie Strandboge <jamie@ubuntu.com>:
Bug acknowledged by developer.
(Wed, 06 May 2009 12:33:22 GMT) (full text, mbox, link).
Message #35 received at 523213-close@bugs.debian.org (full text, mbox, reply):
Source: apt
Source-Version: 0.7.20.2+squeeze1
We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive:
apt-doc_0.7.20.2+squeeze1_all.deb
to pool/main/a/apt/apt-doc_0.7.20.2+squeeze1_all.deb
apt-transport-https_0.7.20.2+squeeze1_i386.deb
to pool/main/a/apt/apt-transport-https_0.7.20.2+squeeze1_i386.deb
apt-utils_0.7.20.2+squeeze1_i386.deb
to pool/main/a/apt/apt-utils_0.7.20.2+squeeze1_i386.deb
apt_0.7.20.2+squeeze1.dsc
to pool/main/a/apt/apt_0.7.20.2+squeeze1.dsc
apt_0.7.20.2+squeeze1.tar.gz
to pool/main/a/apt/apt_0.7.20.2+squeeze1.tar.gz
apt_0.7.20.2+squeeze1_i386.deb
to pool/main/a/apt/apt_0.7.20.2+squeeze1_i386.deb
libapt-pkg-dev_0.7.20.2+squeeze1_i386.deb
to pool/main/a/apt/libapt-pkg-dev_0.7.20.2+squeeze1_i386.deb
libapt-pkg-doc_0.7.20.2+squeeze1_all.deb
to pool/main/a/apt/libapt-pkg-doc_0.7.20.2+squeeze1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 523213@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated apt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 05 May 2009 15:37:03 +0200
Source: apt
Binary: apt apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source all i386
Version: 0.7.20.2+squeeze1
Distribution: testing-security
Urgency: high
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
apt - Advanced front-end for dpkg
apt-doc - Documentation for APT
apt-transport-https - APT https transport
apt-utils - APT utility programs
libapt-pkg-dev - Development files for APT's libapt-pkg and libapt-inst
libapt-pkg-doc - Documentation for APT development
Closes: 433091 523213
Changes:
apt (0.7.20.2+squeeze1) testing-security; urgency=high
.
* debian/apt.cron.daily:
- fix possible DST timestamp releated auto-update problem
(CVE-2009-1300, closes: #523213)
* methods/gpgv.cc:
- properly check for expired and revoked keys (closes: #433091)
Checksums-Sha1:
fe2ce2e9f49343fef4b371efbf3b2bf1e3f7b942 1256 apt_0.7.20.2+squeeze1.dsc
b8523f3cc7bb81355f4b6702a6e6efd2c2aa20dd 2044030 apt_0.7.20.2+squeeze1.tar.gz
e2f9c7fef94f911aba002490d57e3898f98ac4a5 99974 apt-doc_0.7.20.2+squeeze1_all.deb
7d9d3e0bd339a9db541602c73842291fc1a5dedd 124124 libapt-pkg-doc_0.7.20.2+squeeze1_all.deb
9b242d6f1fe1f225c8b24fd548ccfb9298eb4bc1 1628232 apt_0.7.20.2+squeeze1_i386.deb
ee83f97fdb2dfffd0a07ed90fcfc1c3c89c2549b 109144 libapt-pkg-dev_0.7.20.2+squeeze1_i386.deb
d2eea9704693e4f0a4b4ff9424cd23e1366bbfe6 188466 apt-utils_0.7.20.2+squeeze1_i386.deb
2ae45b806c0b0cc8aa4e22040088be76a5e1a302 58674 apt-transport-https_0.7.20.2+squeeze1_i386.deb
Checksums-Sha256:
dd175ff29e5489eb8937170bfc851f538ef5483f894c62b507259389461ad209 1256 apt_0.7.20.2+squeeze1.dsc
6d5fd840fba4fb7baacd2802abf0a89588aaa0b0d64b90b28015ea272278003b 2044030 apt_0.7.20.2+squeeze1.tar.gz
bfafcb1b7dd33567cdd2314a22c113237a85fd1b27f5ef39434aeeb81cb3a982 99974 apt-doc_0.7.20.2+squeeze1_all.deb
e7eaa5f035e54c5c3a96adb78dd2965c8f4485c2d4428f738109a9a7d836d149 124124 libapt-pkg-doc_0.7.20.2+squeeze1_all.deb
7ea5ceaf0fbae59613351a11cb222191f93c00edd0c31999b6afd42076d0866a 1628232 apt_0.7.20.2+squeeze1_i386.deb
00d4e5d4d342af6d31616aef595d0ce9bf1a9ed17b4e98767a96ea28c2ac6f21 109144 libapt-pkg-dev_0.7.20.2+squeeze1_i386.deb
23b2db6e64b80b0f2ef406d28e9af07878e12ff1a12c151fcfcf28e4c9261f33 188466 apt-utils_0.7.20.2+squeeze1_i386.deb
aeddbb1c88465fb199eb08db57247500093bbd1dde434dba6dea1d24a9d06f64 58674 apt-transport-https_0.7.20.2+squeeze1_i386.deb
Files:
337d5d3f86d65005905029eb272415bf 1256 admin important apt_0.7.20.2+squeeze1.dsc
7a68e55346cf8ec2cf2019e0959e5907 2044030 admin important apt_0.7.20.2+squeeze1.tar.gz
f7c4871dd7e7242fc04c15c0ca45dc7e 99974 doc optional apt-doc_0.7.20.2+squeeze1_all.deb
d7d02f781c56217438ecd176bee1a515 124124 doc optional libapt-pkg-doc_0.7.20.2+squeeze1_all.deb
f6e27ef8e207a4660161cd71d8474487 1628232 admin important apt_0.7.20.2+squeeze1_i386.deb
aaeefc58ae6ca8d928bd7fdaddb86efa 109144 libdevel optional libapt-pkg-dev_0.7.20.2+squeeze1_i386.deb
5e7aba28edf7976597336c89545cefbf 188466 admin important apt-utils_0.7.20.2+squeeze1_i386.deb
fab50bd430585e9ac3128e041177448b 58674 admin optional apt-transport-https_0.7.20.2+squeeze1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoAQb0ACgkQHYflSXNkfP9ZyQCgp3hPfN1XPMz/QrJ9khUArUY9
Z+IAnjSuBN3GVIBmOIzW85M/cVSirnlh
=WAqS
-----END PGP SIGNATURE-----
Reply sent
to Michael Vogt <mvo@debian.org>:
You have taken responsibility.
(Sat, 27 Jun 2009 16:39:11 GMT) (full text, mbox, link).
Notification sent
to Jamie Strandboge <jamie@ubuntu.com>:
Bug acknowledged by developer.
(Sat, 27 Jun 2009 16:39:11 GMT) (full text, mbox, link).
Message #40 received at 523213-close@bugs.debian.org (full text, mbox, reply):
Source: apt
Source-Version: 0.7.20.2+lenny1
We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive:
apt-doc_0.7.20.2+lenny1_all.deb
to pool/main/a/apt/apt-doc_0.7.20.2+lenny1_all.deb
apt-transport-https_0.7.20.2+lenny1_i386.deb
to pool/main/a/apt/apt-transport-https_0.7.20.2+lenny1_i386.deb
apt-utils_0.7.20.2+lenny1_i386.deb
to pool/main/a/apt/apt-utils_0.7.20.2+lenny1_i386.deb
apt_0.7.20.2+lenny1.dsc
to pool/main/a/apt/apt_0.7.20.2+lenny1.dsc
apt_0.7.20.2+lenny1.tar.gz
to pool/main/a/apt/apt_0.7.20.2+lenny1.tar.gz
apt_0.7.20.2+lenny1_i386.deb
to pool/main/a/apt/apt_0.7.20.2+lenny1_i386.deb
libapt-pkg-dev_0.7.20.2+lenny1_i386.deb
to pool/main/a/apt/libapt-pkg-dev_0.7.20.2+lenny1_i386.deb
libapt-pkg-doc_0.7.20.2+lenny1_all.deb
to pool/main/a/apt/libapt-pkg-doc_0.7.20.2+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 523213@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Vogt <mvo@debian.org> (supplier of updated apt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 19 Apr 2009 21:23:46 +0200
Source: apt
Binary: apt apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source all i386
Version: 0.7.20.2+lenny1
Distribution: stable-security
Urgency: high
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Michael Vogt <mvo@debian.org>
Description:
apt - Advanced front-end for dpkg
apt-doc - Documentation for APT
apt-transport-https - APT https transport
apt-utils - APT utility programs
libapt-pkg-dev - Development files for APT's libapt-pkg and libapt-inst
libapt-pkg-doc - Documentation for APT development
Closes: 433091 523213
Changes:
apt (0.7.20.2+lenny1) stable-security; urgency=high
.
* debian/apt.cron.daily:
- fix possible DST timestamp releated auto-update problem
(CVE-2009-1300, closes: #523213)
* methods/gpgv.cc:
- properly check for expired and revoked keys (closes: #433091)
Checksums-Sha1:
80d7d53646c2e3fd3604b7d6dc507fb68ed6357d 1540 apt_0.7.20.2+lenny1.dsc
bdb5687a0ade523d395da3bf21bddfb5ebb31f9a 2043258 apt_0.7.20.2+lenny1.tar.gz
07f88ed68e5d5576e8ab28e2bec144f74147be68 102110 apt-doc_0.7.20.2+lenny1_all.deb
3a1590b2a583928cb1f2bac9f7e150e69e2db562 125292 libapt-pkg-doc_0.7.20.2+lenny1_all.deb
10c8643be9c1725f266349f8ec9cb16afffedb0b 1639116 apt_0.7.20.2+lenny1_i386.deb
ef2602d7b81295cc70f0f3fec01837d493f1f848 107586 libapt-pkg-dev_0.7.20.2+lenny1_i386.deb
d0acf24212f4ae67bc5259cbb009c23f95274115 188158 apt-utils_0.7.20.2+lenny1_i386.deb
aef12bbd95a37b1a1e2870ab0ba78be769d5b800 58824 apt-transport-https_0.7.20.2+lenny1_i386.deb
Checksums-Sha256:
1d2459ddfcf220064412b4053ea9248c0107c8800710852372abba6e97f2bbad 1540 apt_0.7.20.2+lenny1.dsc
fd8091400ab45b24950211dd22f1a26457adbd4e37a9d13923aed57e8a9c5269 2043258 apt_0.7.20.2+lenny1.tar.gz
2b8e00bcc16992d5df403c67e27e0d89b97ea49b5febde5a50f20846e10db8d8 102110 apt-doc_0.7.20.2+lenny1_all.deb
e5be5ac36657d1e52d4c6b7124f5c0a8f874e27b37112f9599d5ad3a1e8fe6de 125292 libapt-pkg-doc_0.7.20.2+lenny1_all.deb
0c376bf8208292c3b1100a61e40adab95501d2f7cc2e6cabbd70643cfb70f733 1639116 apt_0.7.20.2+lenny1_i386.deb
2f7a1a8903aac858d4dc23bb483948c6ee0849a296a9cf6cf8030ee77572c45c 107586 libapt-pkg-dev_0.7.20.2+lenny1_i386.deb
5a75db904448e43a0713b68622f90fbb2ab87c7468fee5a67eeb39ce43075bb0 188158 apt-utils_0.7.20.2+lenny1_i386.deb
e04bd88a41f174bff59e5b8227fdaeb0903c1537459ffdaeb5ed31d17e4d366a 58824 apt-transport-https_0.7.20.2+lenny1_i386.deb
Files:
60e740d25e23101d5f7a9c90b90ee698 1540 admin important apt_0.7.20.2+lenny1.dsc
c23dc4256af67c1644a9dbc5ae0115c8 2043258 admin important apt_0.7.20.2+lenny1.tar.gz
099c1c85cb08d668e9e4668516ebc763 102110 doc optional apt-doc_0.7.20.2+lenny1_all.deb
68c3671fa441778e16dbbe838cc893e5 125292 doc optional libapt-pkg-doc_0.7.20.2+lenny1_all.deb
f2021728f2e92ffe32f7eb1bdc2d6231 1639116 admin important apt_0.7.20.2+lenny1_i386.deb
e5ac47a6a1892c8ae12b0c25136b163d 107586 libdevel optional libapt-pkg-dev_0.7.20.2+lenny1_i386.deb
a0f4a903e2fc11d9d6535d310e7f5a9e 188158 admin important apt-utils_0.7.20.2+lenny1_i386.deb
68cbda40b139645b347d3168e09c722b 58824 admin optional apt-transport-https_0.7.20.2+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJJ7NNGAAoJECIIoQCMVaAcWmYIAIxLk0Hbhs9eOAt4asY5U4/g
8Brl5T2Fj+W7QB9sclmohdsejy6sVqPB34Wxscfdff1EacVMv2ZeLPWiQmx1GaEV
T5LiMlxbDMAhyVYnRRfKqLiguH0zXbZOc8wfehe2l1Lk8WzHpfJ2KBxPaAHBnyKC
atpd4rSutNPfyF+8uV9oD5/PqmdSecFrO56hw3rrVNTJiOO+YAjtZDn+cwPRm+Er
ldxzn1fTbT7g4IwwUVab93TeZxSbQqYjZbiI9Dgm5Y7pPnJJnHHVN+spUnYGdpvM
dVwU5LnULsc1GqHoovsXzcmZYVHx5b+7Ve1Y4MosG6rJogGrPQLRb3Lk6vqoDt8=
=i8fJ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 26 Jul 2009 07:28:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:35:49 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon