From: Michael Vogt <michael.vogt@ubuntu.com>
Date: Thu, 22 Sep 2011 15:30:33 +0000 (+0200)
Subject: merge disable apt-key net-update
X-Git-Tag: 0.9.13.exp1ubuntu1~130
X-Git-Url: https://git.saurik.com/apt.git/commitdiff_plain/052c923de0b631e43a02c837a413f4a097b3c10f?ds=inline;hp=--cc

merge disable apt-key net-update
---

052c923de0b631e43a02c837a413f4a097b3c10f
diff --git a/cmdline/apt-key b/cmdline/apt-key
index e80741627..4d2b7c49f 100755
--- a/cmdline/apt-key
+++ b/cmdline/apt-key
@@ -68,6 +68,9 @@ add_keys_with_verify_against_master_keyring() {
 # the archive-keyring keys needs to be signed with the master key
 # (otherwise it does not make sense from a security POV)
 net_update() {
+    # Disabled for now as code is insecure
+    exit 1
+
     if [ -z "$ARCHIVE_KEYRING_URI" ]; then
 	echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set"
 	exit 1
diff --git a/debian/changelog b/debian/changelog
index cac4ea361..f910ddb4f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+apt (0.8.16~exp5ubuntu11) UNRELEASED; urgency=low
+
+  [ Colin Watson ]
+  * ftparchive/cachedb.cc:
+    - fix buffersize in bytes2hex
+  
+  [ Marc Deslauriers ]
+  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
+    code is insecure.
+    - cmdline/apt-key: exit immediately out of net_update().
+    - CVE number pending
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Thu, 22 Sep 2011 17:28:49 +0200
+
 apt (0.8.16~exp5ubuntu10) oneiric; urgency=low
 
   * methods/https.cc:
@@ -120,10 +134,6 @@ apt (0.8.16~exp5) UNRELEASED; urgency=low
       libapt does not segfault if the cache is remapped in between
       (LP: #812862)
   
-  [ Colin Watson ]
-  * ftparchive/cachedb.cc:
-    - fix buffersize in bytes2hex
-
  -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 29 Jul 2011 13:44:01 +0200
 
 apt (0.8.16~exp4) experimental; urgency=low