CVE-2016-1252

NameCVE-2016-1252
DescriptionThe apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3733-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apt (PTS)jessie (security), jessie1.0.9.8.4fixed
stretch1.4.8fixed
buster, sid1.6.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aptsource(unstable)1.4~beta2medium
aptsourcejessie1.0.9.8.4mediumDSA-3733-1
aptsourcewheezy(not affected)

Notes

[wheezy] - apt <not-affected> (Issue introduced in apt >= 0.9.8)
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467

Search for package or bug name: Reporting problems