CVE-2009-1358

NameCVE-2009-1358
Descriptionapt-get in apt before 0.7.21 does not check for the correct error code from gpgv, which causes apt to treat a repository as valid even when it has been signed with a key that has been revoked or expired, which might allow remote attackers to trick apt into installing malicious repositories.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-1779-1, DTSA-199-1
Debian Bugs433091

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apt (PTS)bullseye2.2.4fixed
bookworm2.6.1fixed
trixie3.0.3fixed
forky3.1.9fixed
sid3.1.11fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aptsourceetch0.6.46.4-0.1+etch1DSA-1779-1
aptsourcelenny0.7.20.2+lenny1DSA-1779-1
aptsourcesqueeze0.7.20.2+squeeze1DTSA-199-1
aptsource(unstable)0.7.21433091
Search for package or bug name: Reporting problems