CVE-2016-1252

NameCVE-2016-1252
DescriptionThe apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3733-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apt (PTS)stretch1.4.9fixed
stretch (security)1.4.10fixed
buster1.8.2fixed
buster (security)1.8.2.1fixed
bullseye, sid2.1.6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aptsource(unstable)1.4~beta2
aptsourcejessie1.0.9.8.4DSA-3733-1
aptsourcewheezy(not affected)

Notes

[wheezy] - apt <not-affected> (Issue introduced in apt >= 0.9.8)
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467

Search for package or bug name: Reporting problems