CVE-2015-1330

NameCVE-2015-1330
Descriptionunattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vectors.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-267-1, DSA-3297-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
unattended-upgrades (PTS)wheezy0.79.5+wheezy2fixed
wheezy (security)0.79.5+wheezy3fixed
jessie (security), jessie0.83.3.2+deb8u1fixed
stretch0.93.1+nmu1fixed
buster, sid0.98fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
unattended-upgradessource(unstable)0.86.1medium
unattended-upgradessourcejessie0.83.3.2+deb8u1mediumDSA-3297-1
unattended-upgradessourcesqueeze0.62.2+squeeze1mediumDLA-267-1
unattended-upgradessourcewheezy0.79.5+wheezy2mediumDSA-3297-1

Search for package or bug name: Reporting problems