From 6a300317086e1422953abdd5825680b216c2c211 Mon Sep 17 00:00:00 2001
From: Chong Lu <Chong.Lu@windriver.com>
Date: Fri, 26 Sep 2014 09:49:19 +0800
Subject: apt: fix for CVE-2014-0478

APT before 1.0.4 does not properly validate source packages, which allows
man-in-the-middle attackers to download and install Trojan horse packages
by removing the Release signature.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0478

(From OE-Core rev: 3dd692fcf2b0c11731b3f30abdf2b1878458a898)

Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-devtools/apt/apt.inc | 1 +
 1 file changed, 1 insertion(+)

(limited to 'meta/recipes-devtools/apt/apt.inc')

diff --git a/meta/recipes-devtools/apt/apt.inc b/meta/recipes-devtools/apt/apt.inc
index b528c00..378021a 100644
--- a/meta/recipes-devtools/apt/apt.inc
+++ b/meta/recipes-devtools/apt/apt.inc
@@ -11,6 +11,7 @@ SRC_URI = "${DEBIAN_MIRROR}/main/a/apt/apt_${PV}.tar.gz \
            file://truncate-filename.patch \
            file://nodoc.patch \
            file://disable-configure-in-makefile.patch \
+           file://apt-0.9.9.4-CVE-2014-0478.patch \
            "
 
 inherit autotools gettext
-- 
cgit v1.1