> It allows for attacking a repository via MITM attacks, circumventing
the signature of the InRelease file.
> ("deb http://192.168.0.2:1337/debian/ jessie-updates main" or so).
[..] This simulates a MITM attack or compromised mirror.
That sounds like it matters, where that InRelease file comes
** Tags added: verification-done
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1647467
Title:
InRelease file splitter treats getline() errors as EOF
Status in apt package
This bug was fixed in the package apt - 1.4~beta2
---
apt (1.4~beta2) unstable; urgency=high
[ John R. Lenton ]
* bash-completion: Only complete understood file paths for install
(LP: #1645815)
[ Julian Andres Klode ]
* SECURITY UPDATE: gpgv: Check for errors when
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1647467
Title:
InRelease file splitter treats getline() errors as EOF
Status in apt package in Ubuntu:
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1647467
Title:
InRelease file splitter treats getline()
This bug was fixed in the package apt - 1.0.1ubuntu2.17
---
apt (1.0.1ubuntu2.17) trusty-security; urgency=high
* SECURITY UPDATE: gpgv: Check for errors when splitting files (CVE-2016-1252)
Thanks to Jann Horn, Google Project Zero for reporting the issue
(LP: #1647467)
6 matches
Mail list logo