InRelease security issue

Bug #947108 reported by Michael Vogt
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Fix Released
Medium
Michael Vogt
Natty
Fix Released
Medium
Marc Deslauriers
Oneiric
Fix Released
Medium
Marc Deslauriers
Precise
Fix Released
Medium
Michael Vogt

Bug Description

There is a security issue in the InRelease code that allows a MITM attack. I prepare a debdiff for natty+ with the fix.
Ubuntu is not directly affected as we do not use the InRelease file but any of our users who does in a repository can
be attacked.

Revision history for this message
Michael Vogt (mvo) wrote :
Changed in apt (Ubuntu Natty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Natty):
status: New → Confirmed
Changed in apt (Ubuntu Oneiric):
status: New → Confirmed
Changed in apt (Ubuntu Precise):
status: New → Confirmed
Changed in apt (Ubuntu Natty):
importance: Undecided → Medium
Changed in apt (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in apt (Ubuntu Precise):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.16~exp5ubuntu13.2

---------------
apt (0.8.16~exp5ubuntu13.2) oneiric-security; urgency=low

  * SECURITY UPDATE: trust bypass via stale InRelease file (LP: #947108)
    - CVE-2012-0214
  * This packages does _not_ contain the changes from 0.8.16~exp5ubuntu13.1
    in oneiric-proposed.

  [ David Kalnischkies ]
  * apt-pkg/acquire-item.cc:
    - remove 'old' InRelease file if we can't get a new one before
      proceeding with Release.gpg to avoid the false impression of a still
      trusted repository by a (still present) old InRelease file.
      Thanks to Simon Ruderich for reporting this issue! (CVE-2012-0214)
 -- Marc Deslauriers <email address hidden> Mon, 05 Mar 2012 10:51:50 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.13.2ubuntu4.4

---------------
apt (0.8.13.2ubuntu4.4) natty-security; urgency=low

  * SECURITY UPDATE: trust bypass via stale InRelease file (LP: #947108)
    - CVE-2012-0214

  [ David Kalnischkies ]
  * apt-pkg/acquire-item.cc:
    - remove 'old' InRelease file if we can't get a new one before
      proceeding with Release.gpg to avoid the false impression of a still
      trusted repository by a (still present) old InRelease file.
      Thanks to Simon Ruderich for reporting this issue! (CVE-2012-0214)
 -- Marc Deslauriers <email address hidden> Mon, 05 Mar 2012 11:29:00 -0500

Changed in apt (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in apt (Ubuntu Oneiric):
status: Confirmed → Fix Released
visibility: private → public
Changed in apt (Ubuntu Precise):
assignee: nobody → Michael Vogt (mvo)
Changed in apt (Ubuntu Precise):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.