CVE-2007-4739

NameCVE-2007-4739
Descriptionreprepro 1.3.0 through 2.2.3 does not properly verify signatures when updating repositories, which allows remote attackers to construct and distribute an ostensibly valid Release.gpg file by signing it with an unknown key, related to the update command.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-1394-1
Debian Bugs440535

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
reprepro (PTS)bullseye5.3.0-1.2fixed
bookworm5.3.1-1+deb12u2fixed
sid, trixie5.4.6-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
repreprosourcesarge(not affected)
repreprosourceetch1.3.1+1-1DSA-1394-1
repreprosource(unstable)2.2.4-1high440535

Notes

patch for etch in the BTS
[sarge] - reprepro <not-affected> (Vulnerable code introduced in 1.3.0)
Search for package or bug name: Reporting problems