USN-2348-1: APT vulnerabilities
16 September 2014
apt vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary
Several security issues were fixed in APT.
Software Description
- apt - Advanced front-end for dpkg
Details
It was discovered that APT did not re-verify downloaded files when the If-Modified-Since wasn’t met. (CVE-2014-0487)
It was discovered that APT did not invalidate repository data when it switched from an unauthenticated to an authenticated state. (CVE-2014-0488)
It was discovered that the APT Acquire::GzipIndexes option caused APT to skip checksum validation. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS, and was not enabled by default. (CVE-2014-0489)
It was discovered that APT did not correctly validate signatures when manually downloading packages using the download command. This issue only applied to Ubuntu 12.04 LTS. (CVE-2014-0490)
Update instructions
The problem can be corrected by updating your system to the following package versions:
- Ubuntu 14.04 LTS
- apt - 1.0.1ubuntu2.3
- Ubuntu 12.04 LTS
- apt - 0.8.16~exp12ubuntu10.19
- Ubuntu 10.04 LTS
- apt - 0.7.25.3ubuntu9.16
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.