CVE-2014-0478

Priority
Medium
Description
APT before 1.0.4 does not properly validate source packages, which allows
man-in-the-middle attackers to download and install Trojan horse packages
by removing the Release signature.
References
Bugs
Assigned-to
mdeslaur
Package
Source: apt (LP Ubuntu Debian)
Upstream:released (1.0.4)
Ubuntu 10.04 LTS (Lucid Lynx):released (0.7.25.3ubuntu9.15)
Ubuntu 12.04 LTS (Precise Pangolin):released (0.8.16~exp12ubuntu10.17)
Ubuntu 13.10 (Saucy Salamander):released (0.9.9.1~ubuntu3.2)
Ubuntu 14.04 LTS (Trusty Tahr):released (1.0.1ubuntu2.1)
Ubuntu 14.10 (Utopic Unicorn):not-affected (1.0.4ubuntu4)
More Information

Valid XHTML 1.0 Strict

Updated: 2014-06-20 13:14:35 UTC (commit 8163)