CVE-2009-1358

NameCVE-2009-1358
Descriptionapt-get in apt before 0.7.21 does not check for the correct error code from gpgv, which causes apt to treat a repository as valid even when it has been signed with a key that has been revoked or expired, which might allow remote attackers to trick apt into installing malicious repositories.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1779-1, DTSA-199-1
NVD severityhigh (attack range: remote)
Debian Bugs433091

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apt (PTS)jessie (security), jessie1.0.9.8.4fixed
stretch1.4.8fixed
buster, sid1.6.3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aptsource(unstable)0.7.21high433091
aptsourceetch0.6.46.4-0.1+etch1highDSA-1779-1
aptsourcelenny0.7.20.2+lenny1highDSA-1779-1
aptsourcesqueeze0.7.20.2+squeeze1highDTSA-199-1

Search for package or bug name: Reporting problems