CVE-2009-1358

Published: 21 April 2009

apt-get in apt before 0.7.21 does not check for the correct error code from gpgv, which causes apt to treat a repository as valid even when it has been signed with a key that has been revoked or expired, which might allow remote attackers to trick apt into installing malicious repositories.

Priority

Status

Package	Release	Status
apt Launchpad, Ubuntu, Debian	dapper	Released (0.6.43.3ubuntu3.1)
	hardy	Released (0.7.9ubuntu17.2)
	intrepid	Released (0.7.14ubuntu6.1)
	upstream	Released (0.7.21)
	Patches: other: http://launchpad.net/bugs/356012

References

https://ubuntu.com/security/notices/USN-762-1
https://www.cve.org/CVERecord?id=CVE-2009-1358
NVD
Launchpad
Debian

Bugs

http://launchpad.net/bugs/356012

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›