Debian Security Advisory DSA 1394-1 (reprepro)

Summary
The remote host is missing an update to reprepro announced via advisory DSA 1394-1.
Solution
https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201394-1
Insight
It was discovered that reprepro, a tool to create a repository of Debian packages, when updating from a remote site only checks for the validity of known signatures, and thus does not reject packages with only unknown signatures. This allows an attacker to bypass this authentication mechanism. The oldstable distribution (sarge) is not affected by this problem. For the stable distribution (etch) this problem has been fixed in version 1.3.1+1-1. For the unstable distribution (sid) this problem has been fixed in version 2.2.4-1. We recommend that you upgrade your reprepro package.