apt: fix for CVE-2014-0478

APT before 1.0.4 does not properly validate source packages, which allows man-in-the-middle attackers to download and install Trojan horse packages by removing the Release signature. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0478 Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
author: Chong Lu <Chong.Lu@windriver.com> 2014-09-26 09:49:19 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-09-29 17:49:10 +0100
commit: 3dd692fcf2b0c11731b3f30abdf2b1878458a898 (patch)
tree: 5b0bb9632a200f53d99d96de67d056d50522d5c5 /meta/recipes-devtools/apt/apt.inc
parent: a414b17e1d783ad68a2d0f7d5922967449c05797 (diff)
download: openembedded-core-contrib-3dd692fcf2b0c11731b3f30abdf2b1878458a898.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/meta/recipes-devtools/apt/apt.inc b/meta/recipes-devtools/apt/apt.inc
index b528c00fd8..378021a327 100644
--- a/meta/recipes-devtools/apt/apt.inc
+++ b/meta/recipes-devtools/apt/apt.inc
@@ -11,6 +11,7 @@ SRC_URI = "${DEBIAN_MIRROR}/main/a/apt/apt_${PV}.tar.gz \
            file://truncate-filename.patch \
            file://nodoc.patch \
            file://disable-configure-in-makefile.patch \
+           file://apt-0.9.9.4-CVE-2014-0478.patch \
            "
 
 inherit autotools gettext
author	Chong Lu <Chong.Lu@windriver.com>	2014-09-26 09:49:19 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-09-29 17:49:10 +0100
commit	3dd692fcf2b0c11731b3f30abdf2b1878458a898 (patch)
tree	5b0bb9632a200f53d99d96de67d056d50522d5c5 /meta/recipes-devtools/apt/apt.inc
parent	a414b17e1d783ad68a2d0f7d5922967449c05797 (diff)
download	openembedded-core-contrib-3dd692fcf2b0c11731b3f30abdf2b1878458a898.tar.gz