[Bug 1013639] Re: net-update verifcation checking is still insecure (aka gpg key shadowing, again)

Launchpad Bug Tracker 1013639 at bugs.launchpad.net
Fri Jun 15 21:08:46 UTC 2012


This bug was fixed in the package apt - 0.8.16~exp5ubuntu13.5

---------------
apt (0.8.16~exp5ubuntu13.5) oneiric-security; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is still insecure
    - cmdline/apt-key: exit 1 immediately in net_update()
    - CVE-2012-0954
    - LP: #1013639
 -- Jamie Strandboge <jamie at ubuntu.com>   Fri, 15 Jun 2012 08:00:43 -0500

** Changed in: apt (Ubuntu Natty)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1013639

Title:
  net-update verifcation checking is still insecure (aka gpg key
  shadowing, again)

Status in “apt” package in Ubuntu:
  Fix Released
Status in “apt” source package in Lucid:
  Fix Released
Status in “apt” source package in Natty:
  Fix Released
Status in “apt” source package in Oneiric:
  Fix Released
Status in “apt” source package in Precise:
  Fix Released
Status in “apt” source package in Quantal:
  Fix Released
Status in “apt” source package in Hardy:
  Fix Released

Bug description:
  This is related to but different than:
  https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472
  https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128

  FYI:
  http://seclists.org/fulldisclosure/2012/Jun/271
  http://seclists.org/fulldisclosure/2012/Jun/289

  The fix for both of the previous bugs was not enough. There is
  reportedly an active exploit utilizing the Ubuntu CD Image Automatic
  Signing Key.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013639/+subscriptions




More information about the foundations-bugs mailing list