[Touch-packages] [Bug 1466380] Re: No authentication check if DPkg::Options::, --force-confold is set in apt conf

[Launchpad Bug Tracker]

This bug was fixed in the package unattended-upgrades - 0.86.1

---
unattended-upgrades (0.86.1) unstable; urgency=medium

  * fix missing package authentication check for apt
 configurations that force-{confold,confnew} (CVE-2015-1330)
 LP: #1466380

 -- Michael Vogt m...@debian.org  Mon, 29 Jun 2015 19:28:06 +0200

** Changed in: unattended-upgrades (Ubuntu Wily)
   Status: In Progress = Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1466380

Title:
  No authentication check if DPkg::Options::, --force-confold is set
  in apt conf

Status in unattended-upgrades package in Ubuntu:
  Fix Released
Status in unattended-upgrades source package in Precise:
  Fix Released
Status in unattended-upgrades source package in Trusty:
  Fix Released
Status in unattended-upgrades source package in Utopic:
  Fix Released
Status in unattended-upgrades source package in Vivid:
  Fix Released
Status in unattended-upgrades source package in Wily:
  Fix Released

Bug description:
  While doing code inspection I noticed that under certain circumstances
  unattended-upgrades will not perform a authentication check for the
  package it downloads. The trust for packages is checked in line 1242
  of the code, but that code only gets executed if
  dpkg_conffile_prompt() returns True.

  Attached is a patch against master with a fix and a test. This needs
  to be coordinated with debian and added to all our releases. I will
  prepare debdiffs.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1466380/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1466380] Re: No authentication check if DPkg::Options::, --force-confold is set in apt conf

[Marc Deslauriers]

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1466380

Title:
  No authentication check if DPkg::Options::, --force-confold is set
  in apt conf

Status in unattended-upgrades package in Ubuntu:
  In Progress
Status in unattended-upgrades source package in Precise:
  Fix Released
Status in unattended-upgrades source package in Trusty:
  Fix Released
Status in unattended-upgrades source package in Utopic:
  Fix Released
Status in unattended-upgrades source package in Vivid:
  Fix Released
Status in unattended-upgrades source package in Wily:
  In Progress

Bug description:
  While doing code inspection I noticed that under certain circumstances
  unattended-upgrades will not perform a authentication check for the
  package it downloads. The trust for packages is checked in line 1242
  of the code, but that code only gets executed if
  dpkg_conffile_prompt() returns True.

  Attached is a patch against master with a fix and a test. This needs
  to be coordinated with debian and added to all our releases. I will
  prepare debdiffs.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1466380/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1466380] Re: No authentication check if DPkg::Options::, --force-confold is set in apt conf

[Ubuntu Foundations Team Bug Bot]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1466380

Title:
  No authentication check if DPkg::Options::, --force-confold is set
  in apt conf

Status in unattended-upgrades package in Ubuntu:
  In Progress
Status in unattended-upgrades source package in Precise:
  Fix Released
Status in unattended-upgrades source package in Trusty:
  Fix Released
Status in unattended-upgrades source package in Utopic:
  Fix Released
Status in unattended-upgrades source package in Vivid:
  Fix Released
Status in unattended-upgrades source package in Wily:
  In Progress

Bug description:
  While doing code inspection I noticed that under certain circumstances
  unattended-upgrades will not perform a authentication check for the
  package it downloads. The trust for packages is checked in line 1242
  of the code, but that code only gets executed if
  dpkg_conffile_prompt() returns True.

  Attached is a patch against master with a fix and a test. This needs
  to be coordinated with debian and added to all our releases. I will
  prepare debdiffs.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1466380/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp