InRelease security issue
Bug #947108 reported by
Michael Vogt
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apt (Ubuntu) |
Fix Released
|
Medium
|
Michael Vogt | ||
Natty |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Oneiric |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Precise |
Fix Released
|
Medium
|
Michael Vogt |
Bug Description
There is a security issue in the InRelease code that allows a MITM attack. I prepare a debdiff for natty+ with the fix.
Ubuntu is not directly affected as we do not use the InRelease file but any of our users who does in a repository can
be attacked.
CVE References
Changed in apt (Ubuntu Natty): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in apt (Ubuntu Oneiric): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in apt (Ubuntu Natty): | |
status: | New → Confirmed |
Changed in apt (Ubuntu Oneiric): | |
status: | New → Confirmed |
Changed in apt (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in apt (Ubuntu Natty): | |
importance: | Undecided → Medium |
Changed in apt (Ubuntu Oneiric): | |
importance: | Undecided → Medium |
Changed in apt (Ubuntu Precise): | |
importance: | Undecided → Medium |
visibility: | private → public |
Changed in apt (Ubuntu Precise): | |
assignee: | nobody → Michael Vogt (mvo) |
Changed in apt (Ubuntu Precise): | |
status: | Confirmed → Fix Released |
To post a comment you must log in.
This bug was fixed in the package apt - 0.8.16~ exp5ubuntu13. 2
--------------- exp5ubuntu13. 2) oneiric-security; urgency=low
apt (0.8.16~
* SECURITY UPDATE: trust bypass via stale InRelease file (LP: #947108) exp5ubuntu13. 1
- CVE-2012-0214
* This packages does _not_ contain the changes from 0.8.16~
in oneiric-proposed.
[ David Kalnischkies ] acquire- item.cc:
* apt-pkg/
- remove 'old' InRelease file if we can't get a new one before
proceeding with Release.gpg to avoid the false impression of a still
trusted repository by a (still present) old InRelease file.
Thanks to Simon Ruderich for reporting this issue! (CVE-2012-0214)
-- Marc Deslauriers <email address hidden> Mon, 05 Mar 2012 10:51:50 -0500