[Bug 1329274] [NEW] apt-get source fails to warn on unauthenticated packages
Michael Vogt
michael.vogt at canonical.com
Thu Jun 12 10:30:02 UTC 2014
*** This bug is a security vulnerability ***
Public security bug reported:
apt-get source foo will not warn if the repository that foo belongs to
has no signature attached.
It should fails in this case - this is CVE-2014-0478
** Affects: apt
Importance: Unknown
Status: Unknown
** Affects: apt (Ubuntu)
Importance: High
Assignee: Michael Vogt (mvo)
Status: In Progress
** Bug watch added: Debian Bug tracker #749795
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749795
** Also affects: apt via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749795
Importance: Unknown
Status: Unknown
** Changed in: apt (Ubuntu)
Importance: Undecided => High
** Changed in: apt (Ubuntu)
Assignee: (unassigned) => Michael Vogt (mvo)
** Changed in: apt (Ubuntu)
Status: New => In Progress
** Information type changed from Public to Public Security
** Description changed:
apt-get source foo will not warn if the repository that foo belongs to
has no signature attached.
- It should fails in this case
+ It should fails in this case - this is CVE-2014-0478
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-0478
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1329274
Title:
apt-get source fails to warn on unauthenticated packages
Status in APT:
Unknown
Status in “apt” package in Ubuntu:
In Progress
Bug description:
apt-get source foo will not warn if the repository that foo belongs to
has no signature attached.
It should fails in this case - this is CVE-2014-0478
To manage notifications about this bug go to:
https://bugs.launchpad.net/apt/+bug/1329274/+subscriptions
More information about the foundations-bugs
mailing list