Debian: DSA-3031-1: apt security update

The Google Security Team discovered a buffer overflow vulnerability in the HTTP transport code in apt-get. An attacker able to man-in-the-middle a HTTP request to an apt repository can trigger the buffer overflow, leading to a crash of the 'http' apt method binary, or

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3031-1                   This email address is being protected from spambots. You need JavaScript enabled to view it.
https://www.debian.org/security/                      Salvatore Bonaccorso
September 23, 2014                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : apt
CVE ID         : CVE-2014-6273

The Google Security Team discovered a buffer overflow vulnerability in
the HTTP transport code in apt-get. An attacker able to
man-in-the-middle a HTTP request to an apt repository can trigger the
buffer overflow, leading to a crash of the 'http' apt method binary, or
potentially to arbitrary code execution.

Two regression fixes were included in this update:

 * Fix regression from the previous update in DSA-3025-1 when the custom
   apt configuration option for Dir::state::lists is set to a relative
   path (#762160).

 * Fix regression in the reverificaiton handling of cdrom: sources that
   may lead to incorrect hashsum warnings. Affected users need to run
   "apt-cdrom add" again after the update was applied.

For the stable distribution (wheezy), this problem has been fixed in
version 0.9.7.9+deb7u5.

We recommend that you upgrade your apt packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.