Executive Summary
Summary | |
---|---|
Title | apt regression update |
Informations | |||
---|---|---|---|
Name | DSA-3025 | First vendor Publication | 2014-09-16 |
Vendor | Debian | Last vendor Modification | 2014-09-18 |
Severity (Vendor) | N/A | Revision | 2 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
The previous update for apt, DSA-3025-1, introduced a regression when file:/// sources are used and those are on a different partition than the apt state directory. This update fixes the regression. For reference, the original advisory follows. It was discovered that APT, the high level package manager, does not properly invalidate unauthenticated data (CVE-2014-0488), performs incorrect verification of 304 replies (CVE-2014-0487), does not perform the checksum check when the Acquire::GzipIndexes option is used (CVE-2014-0489) and does not properly perform validation for binary packages downloaded by the apt-get download command (CVE-2014-0490). For the stable distribution (wheezy), this problem has been fixed in version 0.9.7.9+deb7u4. For the unstable distribution (sid), this problem has been fixed in version 1.0.9.1. We recommend that you upgrade your apt packages. |
Original Source
Url : http://www.debian.org/security/2014/dsa-3025 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:26659 | |||
Oval ID: | oval:org.mitre.oval:def:26659 | ||
Title: | DSA-3025-1 apt - security update | ||
Description: | It was discovered that APT, the high level package manager, does not properly invalidate unauthenticated data (<a href="https://security-tracker.debian.org/tracker/CVE-2014-0488">CVE-2014-0488</a>), performs incorrect verification of 304 replies (<a href="https://security-tracker.debian.org/tracker/CVE-2014-0487">CVE-2014-0487</a>), does not perform the checksum check when the Acquire::GzipIndexes option is used (<a href="https://security-tracker.debian.org/tracker/CVE-2014-0489">CVE-2014-0489</a>) and does not properly perform validation for binary packages downloaded by the <code>apt-get download</code> command (<a href="https://security-tracker.debian.org/tracker/CVE-2014-0490">CVE-2014-0490</a>). | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-3025-1 CVE-2014-0487 CVE-2014-0488 CVE-2014-0489 CVE-2014-0490 | Version: | 3 |
Platform(s): | Debian GNU/Linux 7.0 Debian GNU/kFreeBSD 7.0 | Product(s): | apt |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26808 | |||
Oval ID: | oval:org.mitre.oval:def:26808 | ||
Title: | USN-2348-1 -- apt vulnerabilities | ||
Description: | Several security issues were fixed in APT. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2348-1 CVE-2014-0487 CVE-2014-0488 CVE-2014-0489 CVE-2014-0490 | Version: | 3 |
Platform(s): | Ubuntu 14.04 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | apt |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:28296 | |||
Oval ID: | oval:org.mitre.oval:def:28296 | ||
Title: | DSA-3025-2 -- apt regression update | ||
Description: | It was discovered that APT, the high level package manager, does not properly invalidate unauthenticated data (<a href="https://security-tracker.debian.org/tracker/CVE-2014-0488">CVE-2014-0488</a>), performs incorrect verification of 304 replies (<a href="https://security-tracker.debian.org/tracker/CVE-2014-0487">CVE-2014-0487</a>), does not perform the checksum check when the Acquire::GzipIndexes option is used (<a href="https://security-tracker.debian.org/tracker/CVE-2014-0489">CVE-2014-0489</a>) and does not properly perform validation for binary packages downloaded by the <code>apt-get download</code> command (<a href="https://security-tracker.debian.org/tracker/CVE-2014-0490">CVE-2014-0490</a>). | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-3025-2 CVE-2014-0487 CVE-2014-0488 CVE-2014-0489 CVE-2014-0490 | Version: | 3 |
Platform(s): | Debian GNU/Linux 7.0 Debian GNU/kFreeBSD 7.0 | Product(s): | apt |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-03-26 | Name : The remote Debian host is missing a security update. File : debian_DLA-53.nasl - Type : ACT_GATHER_INFO |
2014-09-25 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3031.nasl - Type : ACT_GATHER_INFO |
2014-09-17 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3025.nasl - Type : ACT_GATHER_INFO |
2014-09-17 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2348-1.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-11-05 05:33:35 |
|
2014-11-04 21:28:32 |
|
2014-11-04 05:35:05 |
|
2014-09-26 13:27:31 |
|
2014-09-19 00:22:48 |
|
2014-09-18 13:27:24 |
|
2014-09-16 21:23:22 |
|