CVE-2009-1358

NameCVE-2009-1358
Descriptionapt-get in apt before 0.7.21 does not check for the correct error code from gpgv, which causes apt to treat a repository as valid even when it has been signed with a key that has been revoked or expired, which might allow remote attackers to trick apt into installing malicious repositories.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1779-1, DTSA-199-1
NVD severityhigh
Debian Bugs433091

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apt (PTS)stretch1.4.10fixed
stretch (security)1.4.11fixed
buster1.8.2.3fixed
buster (security)1.8.2.2fixed
bullseye, sid2.2.4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aptsourceetch0.6.46.4-0.1+etch1DSA-1779-1
aptsourcelenny0.7.20.2+lenny1DSA-1779-1
aptsourcesqueeze0.7.20.2+squeeze1DTSA-199-1
aptsource(unstable)0.7.21433091

Search for package or bug name: Reporting problems