Date: Fri, 17 Apr 2009 11:19:01 -0500 From: Jamie Strandboge <jamie@...onical.com> To: oss-security@...ts.openwall.com Cc: coley@...us.mitre.org, team@...urity.debian.org Subject: Re: CVE request: apt On Wed, 08 Apr 2009, Jamie Strandboge wrote: > Summary > ------- > Systems in certain timezones with automatic updates enabled won't be > upgraded on the first day of DST and some systems in affected timezones > could end up with automatic updates being disabled permanently. Normal > usage of apt is not affected. > In addition to my original request, can we have one more for this bug: https://launchpad.net/bugs/356012 "APT does not properly handle expired or revoked key signatures". This affects apt < 0.7.21. Basically, if a repository is signed with only a revoked or expired key, and gpgv reports VALIDSIG, apt considers it to be properly signed. apt should check for GOODSIG, not VALIDSIG. Patch is in the bug and this is already fixed in Debian sid and Ubuntu 9.04. Jamie -- Jamie Strandboge | http://www.canonical.com Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.