CVE-2007-4739

NameCVE-2007-4739
Descriptionreprepro 1.3.0 through 2.2.3 does not properly verify signatures when updating repositories, which allows remote attackers to construct and distribute an ostensibly valid Release.gpg file by signing it with an unknown key, related to the update command.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-1394-1
NVD severitymedium (attack range: remote)
Debian Bugs440535
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
reprepro (PTS)squeeze4.2.0-2squeeze1fixed
wheezy4.12.5-1fixed
jessie, sid4.16.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
repreprosource(unstable)2.2.4-1high440535
repreprosourceetch1.3.1+1-1mediumDSA-1394-1
repreprosourcesarge(not affected)

Notes

patch for etch in the BTS
[sarge] - reprepro <not-affected> (Vulnerable code introduced in 1.3.0)

Search for package or bug name: Reporting problems