CVE-2016-1252

NameCVE-2016-1252
DescriptionThe apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3733-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apt (PTS)stretch1.4.10fixed
stretch (security)1.4.11fixed
buster, buster (security)1.8.2.2fixed
bullseye2.2.2fixed
sid2.2.3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aptsourcewheezy(not affected)
aptsourcejessie1.0.9.8.4DSA-3733-1
aptsource(unstable)1.4~beta2

Notes

[wheezy] - apt <not-affected> (Issue introduced in apt >= 0.9.8)
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467

Search for package or bug name: Reporting problems