CVE-2007-4739

Name of the Vulnerable Software and Affected Versions: reprepro versions 1.3.0 through 2.2.3

Description: The issue is related to the improper verification of signatures when updating repositories, allowing remote attackers to construct and distribute an ostensibly valid Release.gpg file by signing it with an unknown key. This is related to the update command. Multiple vulnerabilities in the reprepro package of the Debian GNU/Linux operating system can lead to a violation of the integrity of protected information and can be exploited remotely.

Recommendations: For versions 1.3.0 through 2.2.3, update to a version that properly verifies signatures when updating repositories to prevent remote attackers from constructing and distributing an ostensibly valid Release.gpg file. At the moment, there is no information about a newer version that contains a fix for this vulnerability.