USN-1283-1: APT vulnerability

Publication date

28 November 2011

Overview

APT could be made to expose sensitive information over the network.


Packages

  • apt - Advanced front-end for dpkg

Details

It was discovered that APT incorrectly handled the Verify-Host
configuration option. If a remote attacker were able to perform a
machine-in-the-middle attack, this flaw could potentially be used to steal
repository credentials. This issue only affected Ubuntu 10.04 LTS and
10.10. (CVE-2011-3634)

USN-1215-1 fixed a vulnerability in APT by disabling the apt-key net-update
option. This update re-enables the option with corrected verification.
Original advisory details:
It was discovered that the apt-key utility incorrectly verified GPG
keys when downloaded via the net-update option. If a remote attacker were
able to perform a machine-in-the-middle attack, this flaw could potentially be
used to install altered packages.

It was discovered that APT incorrectly handled the Verify-Host
configuration option. If a remote attacker were able to perform a
machine-in-the-middle attack, this flaw could potentially be used to steal
repository credentials. This issue only affected Ubuntu 10.04 LTS and
10.10. (CVE-2011-3634)

USN-1215-1 fixed a vulnerability in APT by disabling the apt-key net-update
option. This update re-enables the option with corrected verification.
Original advisory details:
It was discovered that the apt-key utility incorrectly verified GPG
keys when downloaded via the net-update option. If a remote attacker were
able to perform a machine-in-the-middle attack, this flaw could potentially be
used to install altered packages.

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
8.04 hardy apt –  0.7.9ubuntu17.4
11.04 natty apt –  0.8.13.2ubuntu4.3
10.10 maverick apt –  0.8.3ubuntu7.3
10.04 lucid apt –  0.7.25.3ubuntu9.9

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.


Have additional questions?

Talk to a member of the team ›