The Google Security Team discovered a buffer overflow vulnerability in the HTTP transport code in apt-get. An attacker able to man-in-the-middle a HTTP request to an apt repository can trigger the buffer overflow, leading to a crash of the http apt method binary, or potentially to arbitrary code execution. Two regression fixes were included in this update: Fix regression from the previous update in DSA-3025-1 when the custom apt configuration option for Dir::state::lists is set to a relative path (#762160). Fix regression in the reverification handling of cdrom: sources that may lead to incorrect hashsum warnings. Affected users need to run 'apt-cdrom add' again after the update was applied.

For the stable distribution (wheezy), this problem has been fixed in version 0.9.7.9+deb7u5. We recommend that you upgrade your apt packages.

This package provides commandline tools for searching and managing as well as querying information about packages as a low-level access to all features of the libapt-pkg library.

apt on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2014/dsa-3031.html

---

Updated on 2015-03-25