[Touch-packages] [Bug 1466380] Re: No authentication check if DPkg::Options::", "--force-confold" is set in apt conf
This bug was fixed in the package unattended-upgrades - 0.86.1 --- unattended-upgrades (0.86.1) unstable; urgency=medium * fix missing package authentication check for apt configurations that force-{confold,confnew} (CVE-2015-1330) LP: #1466380 -- Michael Vogt Mon, 29 Jun 2015 19:28:06 +0200 ** Changed in: unattended-upgrades (Ubuntu Wily) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to unattended-upgrades in Ubuntu. https://bugs.launchpad.net/bugs/1466380 Title: No authentication check if DPkg::Options::", "--force-confold" is set in apt conf Status in unattended-upgrades package in Ubuntu: Fix Released Status in unattended-upgrades source package in Precise: Fix Released Status in unattended-upgrades source package in Trusty: Fix Released Status in unattended-upgrades source package in Utopic: Fix Released Status in unattended-upgrades source package in Vivid: Fix Released Status in unattended-upgrades source package in Wily: Fix Released Bug description: While doing code inspection I noticed that under certain circumstances unattended-upgrades will not perform a authentication check for the package it downloads. The trust for packages is checked in line 1242 of the code, but that code only gets executed if dpkg_conffile_prompt() returns True. Attached is a patch against master with a fix and a test. This needs to be coordinated with debian and added to all our releases. I will prepare debdiffs. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1466380/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1466380] Re: No authentication check if DPkg::Options::", "--force-confold" is set in apt conf
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to unattended-upgrades in Ubuntu. https://bugs.launchpad.net/bugs/1466380 Title: No authentication check if DPkg::Options::", "--force-confold" is set in apt conf Status in unattended-upgrades package in Ubuntu: In Progress Status in unattended-upgrades source package in Precise: Fix Released Status in unattended-upgrades source package in Trusty: Fix Released Status in unattended-upgrades source package in Utopic: Fix Released Status in unattended-upgrades source package in Vivid: Fix Released Status in unattended-upgrades source package in Wily: In Progress Bug description: While doing code inspection I noticed that under certain circumstances unattended-upgrades will not perform a authentication check for the package it downloads. The trust for packages is checked in line 1242 of the code, but that code only gets executed if dpkg_conffile_prompt() returns True. Attached is a patch against master with a fix and a test. This needs to be coordinated with debian and added to all our releases. I will prepare debdiffs. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1466380/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1466380] Re: No authentication check if DPkg::Options::", "--force-confold" is set in apt conf
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to unattended-upgrades in Ubuntu. https://bugs.launchpad.net/bugs/1466380 Title: No authentication check if DPkg::Options::", "--force-confold" is set in apt conf Status in unattended-upgrades package in Ubuntu: In Progress Status in unattended-upgrades source package in Precise: Fix Released Status in unattended-upgrades source package in Trusty: Fix Released Status in unattended-upgrades source package in Utopic: Fix Released Status in unattended-upgrades source package in Vivid: Fix Released Status in unattended-upgrades source package in Wily: In Progress Bug description: While doing code inspection I noticed that under certain circumstances unattended-upgrades will not perform a authentication check for the package it downloads. The trust for packages is checked in line 1242 of the code, but that code only gets executed if dpkg_conffile_prompt() returns True. Attached is a patch against master with a fix and a test. This needs to be coordinated with debian and added to all our releases. I will prepare debdiffs. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1466380/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp