Launchpad CVE tracker

CVE 2014-0478

APT before 1.0.4 does not properly validate source packages, which allows man-in-the-middle attackers to download and install Trojan horse packages by removing the Release signature.

Related bugs and status

CVE-2014-0478 (Candidate) is related to these bugs:

Bug #1329274: apt-get source fails to warn on unauthenticated packages

		In	Importance	Status
1329274	apt-get source fails to warn on unauthenticated packages	apt (Ubuntu)	High	Fix Released
1329274	apt-get source fails to warn on unauthenticated packages	APT	Unknown	Fix Released
1329274	apt-get source fails to warn on unauthenticated packages	apt (Ubuntu Saucy)	Medium	Fix Released
1329274	apt-get source fails to warn on unauthenticated packages	apt (Ubuntu Utopic)	High	Fix Released
1329274	apt-get source fails to warn on unauthenticated packages	apt (Ubuntu Trusty)	Medium	Fix Released
1329274	apt-get source fails to warn on unauthenticated packages	apt (Ubuntu Lucid)	Medium	Fix Released
1329274	apt-get source fails to warn on unauthenticated packages	apt (Ubuntu Precise)	Medium	Fix Released

Bug #1464064: Ubuntu apt repos are not available via HTTPS

Summary				In	Importance	Status
	1464064	Ubuntu apt repos are not available via HTTPS		Ubuntu	Undecided	Confirmed

See the

CVE page on Mitre.org for more details.

References

CONFIRM: https://bugs.debian.or...
DEBIAN: DSA-2958
SECUNIA: 58843
SECUNIA: 59358
UBUNTU: USN-2246-1

Launchpad.net

CVE 2014-0478

Related bugs and status

Related bugs

References