Age | Commit message (Collapse) | Author | |
---|---|---|---|
2015-08-27 | Do not parse Status fields from remote sources | Julian Andres Klode | |
This could allow an attacker to mark a package as installed in a remote package index, as long as the package was not listed in the dpkg status file. This way, an attacker could force the installation of a package during a dist-upgrade, by providing two packages in an index, an older marked as installed, and a newer - apt would "upgrade" to the newer version. |