Vulnerability Description
reprepro 1.3.0 through 2.2.3 does not properly verify signatures when updating repositories, which allows remote attackers to construct and distribute an ostensibly valid Release.gpg file by signing it with an unknown key, related to the update command.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian | Reprepro | 1.3.0 |
Related Weaknesses (CWE)
References
- http://alioth.debian.org/frs/shownotes.php?release_id=1031Patch
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440535Patch
- http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5%3Bfilename=interdiff%3Batt=1%
- http://osvdb.org/40172
- http://secunia.com/advisories/26678PatchVendor Advisory
- http://secunia.com/advisories/27334
- http://www.debian.org/security/2007/dsa-1394
- http://www.securityfocus.com/bid/25537
- http://alioth.debian.org/frs/shownotes.php?release_id=1031Patch
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440535Patch
- http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5%3Bfilename=interdiff%3Batt=1%
- http://osvdb.org/40172
- http://secunia.com/advisories/26678PatchVendor Advisory
- http://secunia.com/advisories/27334
- http://www.debian.org/security/2007/dsa-1394
FAQ
What is CVE-2007-4739?
CVE-2007-4739 is a vulnerability with a CVSS score of 5.0 (MEDIUM). reprepro 1.3.0 through 2.2.3 does not properly verify signatures when updating repositories, which allows remote attackers to construct and distribute an ostensibly valid Release.gpg file by signing i...
How severe is CVE-2007-4739?
CVE-2007-4739 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2007-4739?
Check the references section above for vendor advisories and patch information. Affected products include: Debian Reprepro.