This bug was fixed in the package update-manager - 1:0.154.5
---------------
update-manager (1:0.154.5) precise; urgency=low
[ Nicholas Skaggs ]
* lp:~nskaggs/update-manager/fix-for-702418:
- Removed gnome-power-manager dbus interface completely and
only use freedesktop interface.
Thanks to Nicholas Skaggs (LP: #702418)
[ Gabor Kelemen ]
* Replace gettext.install() with bindtextdomain() calls.
Work around crash in OptionParser when displaying
localized --help text, to not regress on bug LP: #557804
* Extract strings for translation from u-m-t and u-s-s executables
[ Marc Deslauriers ]
* SECURITY UPDATE: arbitrary code execution via directory traversal
(LP: #881548)
- UpdateManager/Core/DistUpgradeFetcherCore.py: verify signature before
unpacking the tarball.
- CVE-2011-3152
* SECURITY UPDATE: information leak via insecure temp file (LP: #881541)
- DistUpgrade/DistUpgradeViewKDE.py: use mkstemp instead of mktemp.
- CVE-2011-3154
[ Michael Vogt ]
* UpdateManager/UpdateManager.py:
- ensure that the origin headers state of "select all/dselect all"
is consistent
-- Michael Vogt <[email protected]> Tue, 29 Nov 2011 09:58:15 +0100
** Changed in: update-manager (Ubuntu Precise)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/881548
Title:
Insecure use of tarfile module PRIOR to validation of the downloaded
tarfile
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/881548/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
