[Bug 1013639] Re: net-update verifcation checking is still insecure (aka gpg key shadowing, again)
Launchpad Bug Tracker
1013639 at bugs.launchpad.net
Fri Jun 15 20:37:24 UTC 2012
This bug was fixed in the package apt - 0.7.9ubuntu17.6
---------------
apt (0.7.9ubuntu17.6) hardy-security; urgency=low
* SECURITY UPDATE: Disable apt-key net-update for now, as validation
code is still insecure
- cmdline/apt-key: exit 1 immediately in net_update()
- CVE-2012-0954
- LP: #1013639
-- Jamie Strandboge <jamie at ubuntu.com> Fri, 15 Jun 2012 07:48:24 -0500
** Changed in: apt (Ubuntu Hardy)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1013639
Title:
net-update verifcation checking is still insecure (aka gpg key
shadowing, again)
Status in “apt” package in Ubuntu:
Fix Committed
Status in “apt” source package in Lucid:
Fix Committed
Status in “apt” source package in Natty:
Fix Committed
Status in “apt” source package in Oneiric:
Fix Committed
Status in “apt” source package in Precise:
Fix Committed
Status in “apt” source package in Quantal:
Fix Committed
Status in “apt” source package in Hardy:
Fix Released
Bug description:
This is related to but different than:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128
FYI:
http://seclists.org/fulldisclosure/2012/Jun/271
http://seclists.org/fulldisclosure/2012/Jun/289
The fix for both of the previous bugs was not enough. There is
reportedly an active exploit utilizing the Ubuntu CD Image Automatic
Signing Key.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013639/+subscriptions
More information about the foundations-bugs
mailing list