Vulnerability Name:

CVE-2009-1300 (CCN-50088)

Assigned:2009-04-14
Published:2009-04-14
Updated:2020-01-08
Summary:apt 0.7.20 does not check when the date command returns an "invalid date" error, which can prevent apt from loading security updates in time zones for which DST occurs at midnight.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
7.4 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-20
Vulnerability Consequences:Other
References:Source: CCN
Type: Debian Bug report logs - #433091
ignores expiry of archive keys

Source: CONFIRM
Type: UNKNOWN
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523213

Source: MITRE
Type: CNA
CVE-2009-1300

Source: CCN
Type: Debian Web site
Debian Changelog apt (0.7.21)

Source: CCN
Type: SA34829
apt Package Signature Verification Security Bypass

Source: SECUNIA
Type: UNKNOWN
34829

Source: SECUNIA
Type: UNKNOWN
34832

Source: SECUNIA
Type: UNKNOWN
34874

Source: DEBIAN
Type: UNKNOWN
DSA-1779

Source: DEBIAN
Type: DSA-1779
apt -- several vulnerabilities

Source: MLIST
Type: UNKNOWN
[oss-security] 20090408 CVE request: apt

Source: CCN
Type: OSVDB ID: 56433
apt date Command Invalid Date Handling Weakness

Source: CCN
Type: BID-34630
Debian apt Repository Signature Verification Vulnerability

Source: CCN
Type: USN-762-1
APT vulnerabilities

Source: CONFIRM
Type: UNKNOWN
https://bugs.launchpad.net/ubuntu/+source/coreutils/+bug/354793

Source: XF
Type: UNKNOWN
apt-date-weak-security(50088)

Source: UBUNTU
Type: UNKNOWN
USN-762-1

Vulnerable Configuration:Configuration 1:
  • cpe:/a:debian:advanced_package_tool:0.7.20:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:debian:advanced_package_tool:0.7.20:*:*:*:*:*:*:*
  • AND
  • cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:8.04::lts:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:5.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:13689
    P
    		USN-762-1 -- apt vulnerabilities
    2014-06-30
    oval:org.mitre.oval:def:8263
    P
    		DSA-1779 apt -- several vulnerabilities
    2014-06-23
    oval:org.mitre.oval:def:13616
    P
    		DSA-1779-1 apt -- several
    2014-06-23
    oval:org.debian:def:1779
    V
    		several vulnerabilities
    2009-04-26
    BACK
    debian advanced package tool 0.7.20
    debian apt 0.7.20
    canonical ubuntu 6.06
    debian debian linux 4.0
    canonical ubuntu 8.04
    debian debian linux 5.0