InRelease security issue

Bug #947108 reported by Michael Vogt on 2012-03-05
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Medium
Michael Vogt
Natty
Medium
Marc Deslauriers
Oneiric
Medium
Marc Deslauriers
Precise
Medium
Michael Vogt

Bug Description

There is a security issue in the InRelease code that allows a MITM attack. I prepare a debdiff for natty+ with the fix.
Ubuntu is not directly affected as we do not use the InRelease file but any of our users who does in a repository can
be attacked.

Michael Vogt (mvo) wrote :
Changed in apt (Ubuntu Natty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Natty):
status: New → Confirmed
Changed in apt (Ubuntu Oneiric):
status: New → Confirmed
Changed in apt (Ubuntu Precise):
status: New → Confirmed
Changed in apt (Ubuntu Natty):
importance: Undecided → Medium
Changed in apt (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in apt (Ubuntu Precise):
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.16~exp5ubuntu13.2

---------------
apt (0.8.16~exp5ubuntu13.2) oneiric-security; urgency=low

  * SECURITY UPDATE: trust bypass via stale InRelease file (LP: #947108)
    - CVE-2012-0214
  * This packages does _not_ contain the changes from 0.8.16~exp5ubuntu13.1
    in oneiric-proposed.

  [ David Kalnischkies ]
  * apt-pkg/acquire-item.cc:
    - remove 'old' InRelease file if we can't get a new one before
      proceeding with Release.gpg to avoid the false impression of a still
      trusted repository by a (still present) old InRelease file.
      Thanks to Simon Ruderich for reporting this issue! (CVE-2012-0214)
 -- Marc Deslauriers <email address hidden> Mon, 05 Mar 2012 10:51:50 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.13.2ubuntu4.4

---------------
apt (0.8.13.2ubuntu4.4) natty-security; urgency=low

  * SECURITY UPDATE: trust bypass via stale InRelease file (LP: #947108)
    - CVE-2012-0214

  [ David Kalnischkies ]
  * apt-pkg/acquire-item.cc:
    - remove 'old' InRelease file if we can't get a new one before
      proceeding with Release.gpg to avoid the false impression of a still
      trusted repository by a (still present) old InRelease file.
      Thanks to Simon Ruderich for reporting this issue! (CVE-2012-0214)
 -- Marc Deslauriers <email address hidden> Mon, 05 Mar 2012 11:29:00 -0500

Changed in apt (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in apt (Ubuntu Oneiric):
status: Confirmed → Fix Released
visibility: private → public
Changed in apt (Ubuntu Precise):
assignee: nobody → Michael Vogt (mvo)
Changed in apt (Ubuntu Precise):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers