[Bug 856489] Re: Improper verification of updated key via apt-key net-update
Launchpad Bug Tracker
856489 at bugs.launchpad.net
Thu Sep 22 18:08:08 UTC 2011
This bug was fixed in the package apt - 0.7.25.3ubuntu9.7
---------------
apt (0.7.25.3ubuntu9.7) lucid-security; urgency=low
* SECURITY UPDATE: Disable apt-key net-update for now, as validation
code is insecure. (LP: #856489)
- cmdline/apt-key: exit immediately out of net_update().
- CVE number pending
-- Marc Deslauriers <marc.deslauriers at ubuntu.com> Thu, 22 Sep 2011 11:24:50 -0400
** Changed in: apt (Ubuntu Hardy)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/856489
Title:
Improper verification of updated key via apt-key net-update
Status in “apt” package in Ubuntu:
Fix Committed
Status in “apt” source package in Lucid:
Fix Released
Status in “apt” source package in Maverick:
Fix Released
Status in “apt” source package in Natty:
Fix Released
Status in “apt” source package in Oneiric:
Fix Committed
Status in “apt” source package in Hardy:
Fix Released
Bug description:
As reported on full-disclosure:
http://seclists.org/fulldisclosure/2011/Sep/221
CVE request here:
http://www.openwall.com/lists/oss-security/2011/09/22/5
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/856489/+subscriptions
More information about the foundations-bugs
mailing list