1. Ubuntu Security Notices
  2. USN-1477-1

USN-1477-1: APT vulnerability

Publication date

15 June 2012

Overview

An attacker could trick APT into installing altered packages.

Releases

Packages

  • apt - Advanced front-end for dpkg

Details

Georgi Guninski discovered that APT did not properly validate imported
keyrings via apt-key net-update. USN-1475-1 added additional verification
for imported keyrings, but it was insufficient. If a remote attacker were
able to perform a machine-in-the-middle attack, this flaw could potentially be
used to install altered packages. This update corrects the issue by
disabling the net-update option completely. A future update will re-enable
the option with corrected verification.

Georgi Guninski discovered that APT did not properly validate imported
keyrings via apt-key net-update. USN-1475-1 added additional verification
for imported keyrings, but it was insufficient. If a remote attacker were
able to perform a machine-in-the-middle attack, this flaw could potentially be
used to install altered packages. This update corrects the issue by
disabling the net-update option completely. A future update will re-enable
the option with corrected verification.

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
8.04 hardy apt –  0.7.9ubuntu17.6
12.04 precise apt –  0.8.16~exp12ubuntu10.2
11.10 oneiric apt –  0.8.16~exp5ubuntu13.5
11.04 natty apt –  0.8.13.2ubuntu4.6
10.04 lucid apt –  0.7.25.3ubuntu9.13

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›