*** This bug is a security vulnerability ***

Public security bug reported:

Zesty and later (LP: #1363482) are no longer shipping with 1024D keys
but older LTS releases (Trusty/Xenial) still trust those weak keys:

$ lsb_release -sc
xenial

$ apt-key list
/etc/apt/trusted.gpg
--------------------
pub   1024D/437D05B5 2004-09-12
uid                  Ubuntu Archive Automatic Signing Key <ftpmas...@ubuntu.com>
sub   2048g/79164387 2004-09-12

pub   4096R/C0B21F32 2012-05-11
uid                  Ubuntu Archive Automatic Signing Key (2012) 
<ftpmas...@ubuntu.com>

pub   4096R/EFE21092 2012-05-11
uid                  Ubuntu CD Image Automatic Signing Key (2012) 
<cdim...@ubuntu.com>

pub   1024D/FBB75451 2004-12-30
uid                  Ubuntu CD Image Automatic Signing Key <cdim...@ubuntu.com>


On Xenial, I found no problem after deleting the 2 1024D keys:

$ sudo apt-key del 2A38B3EB
$ sudo apt-key del 437D05B5
$ sudo apt-get -qq update
$ echo $? # returned 0


On Trusty, it seems that removing the key 437D05B5 leads to warnings due to the 
double-signing:

$ sudo apt-key del 2A38B3EB
$ sudo apt-key del 437D05B5
$ sudo apt-get -qq update
W: There is no public key available for the following key IDs:
40976EAF437D05B5
W: There is no public key available for the following key IDs:
40976EAF437D05B5
W: There is no public key available for the following key IDs:
40976EAF437D05B5
$ echo $? # returned 0

It seems that "apt-get update" is still happy as it can validate using
the stronger key.

** Affects: ubuntu-keyring (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1786471

Title:
  remove 1024D keys from ubuntu-keyring on older LTS

Status in ubuntu-keyring package in Ubuntu:
  New

Bug description:
  Zesty and later (LP: #1363482) are no longer shipping with 1024D keys
  but older LTS releases (Trusty/Xenial) still trust those weak keys:

  $ lsb_release -sc
  xenial

  $ apt-key list
  /etc/apt/trusted.gpg
  --------------------
  pub   1024D/437D05B5 2004-09-12
  uid                  Ubuntu Archive Automatic Signing Key 
<ftpmas...@ubuntu.com>
  sub   2048g/79164387 2004-09-12

  pub   4096R/C0B21F32 2012-05-11
  uid                  Ubuntu Archive Automatic Signing Key (2012) 
<ftpmas...@ubuntu.com>

  pub   4096R/EFE21092 2012-05-11
  uid                  Ubuntu CD Image Automatic Signing Key (2012) 
<cdim...@ubuntu.com>

  pub   1024D/FBB75451 2004-12-30
  uid                  Ubuntu CD Image Automatic Signing Key 
<cdim...@ubuntu.com>

  
  On Xenial, I found no problem after deleting the 2 1024D keys:

  $ sudo apt-key del 2A38B3EB
  $ sudo apt-key del 437D05B5
  $ sudo apt-get -qq update
  $ echo $? # returned 0

  
  On Trusty, it seems that removing the key 437D05B5 leads to warnings due to 
the double-signing:

  $ sudo apt-key del 2A38B3EB
  $ sudo apt-key del 437D05B5
  $ sudo apt-get -qq update
  W: There is no public key available for the following key IDs:
  40976EAF437D05B5
  W: There is no public key available for the following key IDs:
  40976EAF437D05B5
  W: There is no public key available for the following key IDs:
  40976EAF437D05B5
  $ echo $? # returned 0

  It seems that "apt-get update" is still happy as it can validate using
  the stronger key.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1786471/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to