This bug was fixed in the package unattended-upgrades - 0.86.1
---------------
unattended-upgrades (0.86.1) unstable; urgency=medium
* fix missing package authentication check for apt
configurations that force-{confold,confnew} (CVE-2015-1330)
LP: #1466380
-- Michael Vogt <m...@debian.org> Mon, 29 Jun 2015 19:28:06 +0200
** Changed in: unattended-upgrades (Ubuntu Wily)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1466380
Title:
No authentication check if DPkg::Options::", "--force-confold" is set
in apt conf
Status in unattended-upgrades package in Ubuntu:
Fix Released
Status in unattended-upgrades source package in Precise:
Fix Released
Status in unattended-upgrades source package in Trusty:
Fix Released
Status in unattended-upgrades source package in Utopic:
Fix Released
Status in unattended-upgrades source package in Vivid:
Fix Released
Status in unattended-upgrades source package in Wily:
Fix Released
Bug description:
While doing code inspection I noticed that under certain circumstances
unattended-upgrades will not perform a authentication check for the
package it downloads. The trust for packages is checked in line 1242
of the code, but that code only gets executed if
dpkg_conffile_prompt() returns True.
Attached is a patch against master with a fix and a test. This needs
to be coordinated with debian and added to all our releases. I will
prepare debdiffs.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1466380/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
