The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures.
References
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
|
History
21 Nov 2024, 02:46
Type | Values Removed | Values Added |
---|---|---|
References | () http://packetstormsecurity.com/files/140145/apt-Repository-Signing-Bypass.html - Issue Tracking, Third Party Advisory, VDB Entry | |
References | () http://www.ubuntu.com/usn/USN-3156-1 - Third Party Advisory | |
References | () https://bugs.chromium.org/p/project-zero/issues/detail?id=1020 - Exploit, Issue Tracking, Third Party Advisory | |
References | () https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467 - Exploit, Issue Tracking, Third Party Advisory | |
References | () https://www.debian.org/security/2016/dsa-3733 - Issue Tracking, Vendor Advisory | |
References | () https://www.exploit-db.com/exploits/40916/ - Exploit, Issue Tracking, Third Party Advisory, VDB Entry |
Information
Published : 2017-12-05 16:29
Updated : 2024-11-21 02:46
NVD link : CVE-2016-1252
Mitre link : CVE-2016-1252
CVE.ORG link : CVE-2016-1252
JSON object : View
Products Affected
debian
- debian_linux
- advanced_package_tool
canonical
- ubuntu_linux
CWE
CWE-295
Improper Certificate Validation