[Bug 1858972] Re: python-apt uses MD5 for validation

Steve Beattie sbeattie at ubuntu.com
Fri Jan 31 19:55:28 UTC 2020 

** Summary changed:

- placeholder
+ python-apt uses MD5 for validation

** Description changed:

- Placeholder bug.
+ Only MD5 is checked (most versions)
+                                                                                                                                                              
+ In stable releases, and unstable, they only check MD5 sums of the files they download. 1.9.0 was broken as it still refered to the md5 field, but the field went away, so it would raise an exception if you tried to use it - so that's safe :D
+                                                                                                                                                              
+ experimental (1.9.1) checks all hash sums, but only if some are present - it would happily accept an empty list of hashes - 1.9.2 will fix this issue by checking that the list of hashes is "usable", as it's called in apt, completing the proper fix.
+                                                                                                                                                              
+ The only versions not affected by this are the ones in Ubuntu eoan and focal, as they hardcoded SHA256 instead of MD5 as a workaround to code failing because MD5 went away.

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python-apt in Ubuntu.
https://bugs.launchpad.net/bugs/1858972

Title:
  python-apt uses MD5 for validation

Status in python-apt package in Ubuntu:
  Fix Released

Bug description:
  Only MD5 is checked (most versions)
                                                                                                                                                               
  In stable releases, and unstable, they only check MD5 sums of the files they download. 1.9.0 was broken as it still refered to the md5 field, but the field went away, so it would raise an exception if you tried to use it - so that's safe :D
                                                                                                                                                               
  experimental (1.9.1) checks all hash sums, but only if some are present - it would happily accept an empty list of hashes - 1.9.2 will fix this issue by checking that the list of hashes is "usable", as it's called in apt, completing the proper fix.
                                                                                                                                                               
  The only versions not affected by this are the ones in Ubuntu eoan and focal, as they hardcoded SHA256 instead of MD5 as a workaround to code failing because MD5 went away.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1858972/+subscriptions

More information about the foundations-bugs mailing list