CVE-2016-1252

The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures.
References
Link Resource
http://packetstormsecurity.com/files/140145/apt-Repository-Signing-Bypass.html Issue Tracking Third Party Advisory VDB Entry
http://www.ubuntu.com/usn/USN-3156-1 Third Party Advisory
https://bugs.chromium.org/p/project-zero/issues/detail?id=1020 Exploit Issue Tracking Third Party Advisory
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467 Exploit Issue Tracking Third Party Advisory
https://www.debian.org/security/2016/dsa-3733 Issue Tracking Vendor Advisory
https://www.exploit-db.com/exploits/40916/ Exploit Issue Tracking Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/140145/apt-Repository-Signing-Bypass.html Issue Tracking Third Party Advisory VDB Entry
http://www.ubuntu.com/usn/USN-3156-1 Third Party Advisory
https://bugs.chromium.org/p/project-zero/issues/detail?id=1020 Exploit Issue Tracking Third Party Advisory
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467 Exploit Issue Tracking Third Party Advisory
https://www.debian.org/security/2016/dsa-3733 Issue Tracking Vendor Advisory
https://www.exploit-db.com/exploits/40916/ Exploit Issue Tracking Third Party Advisory VDB Entry
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.10:*:*:*:*:*:*:*

History

21 Nov 2024, 02:46

Type Values Removed Values Added
References () http://packetstormsecurity.com/files/140145/apt-Repository-Signing-Bypass.html - Issue Tracking, Third Party Advisory, VDB Entry () http://packetstormsecurity.com/files/140145/apt-Repository-Signing-Bypass.html - Issue Tracking, Third Party Advisory, VDB Entry
References () http://www.ubuntu.com/usn/USN-3156-1 - Third Party Advisory () http://www.ubuntu.com/usn/USN-3156-1 - Third Party Advisory
References () https://bugs.chromium.org/p/project-zero/issues/detail?id=1020 - Exploit, Issue Tracking, Third Party Advisory () https://bugs.chromium.org/p/project-zero/issues/detail?id=1020 - Exploit, Issue Tracking, Third Party Advisory
References () https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467 - Exploit, Issue Tracking, Third Party Advisory () https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467 - Exploit, Issue Tracking, Third Party Advisory
References () https://www.debian.org/security/2016/dsa-3733 - Issue Tracking, Vendor Advisory () https://www.debian.org/security/2016/dsa-3733 - Issue Tracking, Vendor Advisory
References () https://www.exploit-db.com/exploits/40916/ - Exploit, Issue Tracking, Third Party Advisory, VDB Entry () https://www.exploit-db.com/exploits/40916/ - Exploit, Issue Tracking, Third Party Advisory, VDB Entry

Information

Published : 2017-12-05 16:29

Updated : 2024-11-21 02:46


NVD link : CVE-2016-1252

Mitre link : CVE-2016-1252

CVE.ORG link : CVE-2016-1252


JSON object : View

Products Affected

debian

  • debian_linux
  • advanced_package_tool

canonical

  • ubuntu_linux
CWE
CWE-295

Improper Certificate Validation