CVE-2016-1252 in Ubuntu

CVE-2016-1252

Priority

High

Description

The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable
before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu
16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1
allows man-in-the-middle attackers to bypass a repository-signing
protection mechanism by leveraging improper error handling when validating
InRelease file signatures.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1252
https://usn.ubuntu.com/usn/usn-3156-1

Bugs

https://launchpad.net/bugs/1647467

Assigned-to

mdeslaur

Package

Source: apt (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):	not-affected (InRelease file splitting code is not present)
Ubuntu 14.04 LTS (Trusty Tahr):	released (1.0.1ubuntu2.17)
Ubuntu 16.04 LTS (Xenial Xerus):	released (1.2.15ubuntu0.2)
Ubuntu 17.04 (Zesty Zapus):	released (1.4~beta2)
Ubuntu 17.10 (Artful Aardvark):	released (1.4~beta2)

More Information

Updated: 2017-12-15 20:34:49 UTC (commit 13913)