python-apt uses MD5 for validation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-apt (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Only MD5 is checked (most versions)
In stable releases, and unstable, they only check MD5 sums of the files they download. 1.9.0 was broken as it still refered to the md5 field, but the field went away, so it would raise an exception if you tried to use it - so that's safe :D
experimental (1.9.1) checks all hash sums, but only if some are present - it would happily accept an empty list of hashes - 1.9.2 will fix this issue by checking that the list of hashes is "usable", as it's called in apt, completing the proper fix.
The only versions not affected by this are the ones in Ubuntu eoan and focal, as they hardcoded SHA256 instead of MD5 as a workaround to code failing because MD5 went away.
CVE References
summary: |
- placeholder + python-apt uses MD5 for validation |
description: | updated |
information type: | Private Security → Public Security |
All diffs have passed CI, and local autopkgtest.