CVE 2019-3462
Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.
Related bugs and status
CVE-2019-3462 (Candidate) is related to these bugs:
Bug #1255120: Support listing HTTPS archive mirrors
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1255120 | Support listing HTTPS archive mirrors | Launchpad itself | Low | Fix Released | ||
Bug #1464064: Ubuntu apt repos are not available via HTTPS
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1464064 | Ubuntu apt repos are not available via HTTPS | Ubuntu | Undecided | Confirmed | ||
Bug #1470250: [Hyper-V] Ubuntu 14.04.2 LTS Generation 2 SCSI Errors on VSS Based Backups
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1470250 | [Hyper-V] Ubuntu 14.04.2 LTS Generation 2 SCSI Errors on VSS Based Backups | linux (Ubuntu) | Critical | Fix Released | ||
| 1470250 | [Hyper-V] Ubuntu 14.04.2 LTS Generation 2 SCSI Errors on VSS Based Backups | linux (Ubuntu Trusty) | High | Won't Fix | ||
| 1470250 | [Hyper-V] Ubuntu 14.04.2 LTS Generation 2 SCSI Errors on VSS Based Backups | linux (Ubuntu Xenial) | Critical | Fix Released | ||
| 1470250 | [Hyper-V] Ubuntu 14.04.2 LTS Generation 2 SCSI Errors on VSS Based Backups | linux (Ubuntu Yakkety) | Critical | Fix Released | ||
| 1470250 | [Hyper-V] Ubuntu 14.04.2 LTS Generation 2 SCSI Errors on VSS Based Backups | linux (Ubuntu Zesty) | Critical | Fix Released | ||
Bug #1473091: default PPAs to HTTPS
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1473091 | default PPAs to HTTPS | Launchpad itself | Low | Fix Released | ||
Bug #1473092: Move all subdomains of launchpad.net to HTTPS
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1473092 | Move all subdomains of launchpad.net to HTTPS | Launchpad itself | Low | Triaged | ||
Bug #1787460: Unattended upgrades removed linux-image-generic
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1787460 | Unattended upgrades removed linux-image-generic | apt (Ubuntu) | Critical | Fix Released | ||
| 1787460 | Unattended upgrades removed linux-image-generic | apt (Ubuntu Xenial) | High | Fix Released | ||
| 1787460 | Unattended upgrades removed linux-image-generic | apt (Ubuntu Cosmic) | Critical | Fix Released | ||
| 1787460 | Unattended upgrades removed linux-image-generic | apt (Ubuntu Disco) | Critical | Fix Released | ||
| 1787460 | Unattended upgrades removed linux-image-generic | apt (Ubuntu Bionic) | Critical | Fix Released | ||
| 1787460 | Unattended upgrades removed linux-image-generic | apt (Ubuntu Trusty) | High | Fix Released | ||
Bug #1811120: Backport auth.conf.d
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1811120 | Backport auth.conf.d | apt (Ubuntu) | Low | Fix Released | ||
| 1811120 | Backport auth.conf.d | apt (Ubuntu Trusty) | Low | Fix Released | ||
| 1811120 | Backport auth.conf.d | apt (Ubuntu Bionic) | Low | Fix Released | ||
| 1811120 | Backport auth.conf.d | apt (Ubuntu Disco) | Low | Fix Released | ||
| 1811120 | Backport auth.conf.d | apt (Ubuntu Xenial) | Low | Fix Released | ||
| 1811120 | Backport auth.conf.d | apt (Ubuntu Cosmic) | Low | Fix Released | ||
Bug #1812353: content injection in http method (CVE-2019-3462)
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1812353 | content injection in http method (CVE-2019-3462) | apt (Ubuntu) | Critical | Fix Released | ||
| 1812353 | content injection in http method (CVE-2019-3462) | apt (Ubuntu Precise) | Undecided | Fix Released | ||
| 1812353 | content injection in http method (CVE-2019-3462) | apt (Ubuntu Cosmic) | Undecided | Fix Released | ||
| 1812353 | content injection in http method (CVE-2019-3462) | apt (Ubuntu Trusty) | Undecided | Fix Released | ||
| 1812353 | content injection in http method (CVE-2019-3462) | apt (Ubuntu Bionic) | Undecided | Fix Released | ||
| 1812353 | content injection in http method (CVE-2019-3462) | apt (Ubuntu Xenial) | Undecided | Fix Released | ||
| 1812353 | content injection in http method (CVE-2019-3462) | apt (Ubuntu Disco) | Critical | Fix Released | ||
Bug #1812696: APT doc and manpage uses wrong ubuntu-codename
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1812696 | APT doc and manpage uses wrong ubuntu-codename | apt (Ubuntu) | Wishlist | Fix Released | ||
| 1812696 | APT doc and manpage uses wrong ubuntu-codename | apt (Ubuntu Disco) | Wishlist | Fix Released | ||
| 1812696 | APT doc and manpage uses wrong ubuntu-codename | apt (Ubuntu Xenial) | Wishlist | Fix Released | ||
| 1812696 | APT doc and manpage uses wrong ubuntu-codename | apt (Ubuntu Cosmic) | Wishlist | Fix Released | ||
| 1812696 | APT doc and manpage uses wrong ubuntu-codename | apt (Ubuntu Bionic) | Wishlist | Fix Released | ||
Bug #1814727: Backport never pinning and Packages-Require-Authorization
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1814727 | Backport never pinning and Packages-Require-Authorization | apt (Ubuntu) | Undecided | Fix Released | ||
| 1814727 | Backport never pinning and Packages-Require-Authorization | apt (Ubuntu Xenial) | Undecided | Fix Released | ||
| 1814727 | Backport never pinning and Packages-Require-Authorization | apt (Ubuntu Cosmic) | Undecided | Fix Released | ||
| 1814727 | Backport never pinning and Packages-Require-Authorization | apt (Ubuntu Trusty) | Undecided | Fix Released | ||
| 1814727 | Backport never pinning and Packages-Require-Authorization | apt (Ubuntu Disco) | Undecided | Fix Released | ||
| 1814727 | Backport never pinning and Packages-Require-Authorization | apt (Ubuntu Bionic) | Undecided | Fix Released | ||
Bug #1815750: autopkgtest failure due to security update
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1815750 | autopkgtest failure due to security update | apt (Ubuntu) | Medium | Fix Released | ||
| 1815750 | autopkgtest failure due to security update | apt (Ubuntu Xenial) | Medium | Fix Released | ||
Bug #1815760: Additional hooks for update
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1815760 | Additional hooks for update | apt (Ubuntu) | Undecided | Fix Released | ||
| 1815760 | Additional hooks for update | apt (Ubuntu Xenial) | Undecided | Fix Released | ||
| 1815760 | Additional hooks for update | apt (Ubuntu Bionic) | Undecided | Fix Released | ||
| 1815760 | Additional hooks for update | apt (Ubuntu Disco) | Undecided | Fix Released | ||
| 1815760 | Additional hooks for update | apt (Ubuntu Cosmic) | Undecided | Fix Released | ||
| 1815760 | Additional hooks for update | apt (Ubuntu Trusty) | Undecided | Invalid | ||
Bug #1815761: Alternative to Dpkg::Post-Invoke that runs even if dpkg did not have to be invoked
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1815761 | Alternative to Dpkg::Post-Invoke that runs even if dpkg did not have to be invoked | apt (Ubuntu) | Undecided | Fix Released | ||
| 1815761 | Alternative to Dpkg::Post-Invoke that runs even if dpkg did not have to be invoked | apt (Ubuntu Xenial) | Undecided | Fix Released | ||
| 1815761 | Alternative to Dpkg::Post-Invoke that runs even if dpkg did not have to be invoked | apt (Ubuntu Disco) | Undecided | Fix Released | ||
| 1815761 | Alternative to Dpkg::Post-Invoke that runs even if dpkg did not have to be invoked | apt (Ubuntu Trusty) | Undecided | Fix Released | ||
| 1815761 | Alternative to Dpkg::Post-Invoke that runs even if dpkg did not have to be invoked | apt (Ubuntu Cosmic) | Undecided | Fix Released | ||
| 1815761 | Alternative to Dpkg::Post-Invoke that runs even if dpkg did not have to be invoked | apt (Ubuntu Bionic) | Undecided | Fix Released | ||
Bug #1818996: auth.conf.d directory missing
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1818996 | auth.conf.d directory missing | apt (Ubuntu) | Undecided | Fix Released | ||
| 1818996 | auth.conf.d directory missing | apt (Ubuntu Xenial) | Undecided | Fix Released | ||
| 1818996 | auth.conf.d directory missing | apt (Ubuntu Disco) | Undecided | Fix Released | ||
| 1818996 | auth.conf.d directory missing | apt (Ubuntu Trusty) | Undecided | Fix Released | ||
| 1818996 | auth.conf.d directory missing | apt (Ubuntu Cosmic) | Undecided | Fix Released | ||
| 1818996 | auth.conf.d directory missing | apt (Ubuntu Bionic) | Undecided | Fix Released | ||
See the 
CVE page on Mitre.org
for more details.
