CVE-2015-1330

NameCVE-2015-1330
Descriptionunattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vectors.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-267-1, DSA-3297-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
unattended-upgrades (PTS)bullseye2.8fixed
bookworm2.9.1+nmu3fixed
sid, trixie2.11+nmu1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
unattended-upgradessourcesqueeze0.62.2+squeeze1DLA-267-1
unattended-upgradessourcewheezy0.79.5+wheezy2DSA-3297-1
unattended-upgradessourcejessie0.83.3.2+deb8u1DSA-3297-1
unattended-upgradessource(unstable)0.86.1
Search for package or bug name: Reporting problems