Lucene search

DebianDEBIAN:DSA-3733-1:C3B84

HistoryDec 13, 2016 - 5:12 p.m.

[SECURITY] [DSA 3733-1] apt security update

2016-12-1317:12:42

lists.debian.org

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

5.4

Confidence

High

EPSS

0.014

Percentile

86.2%

JSON

Debian Security Advisory DSA-3733-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
December 13, 2016 https://www.debian.org/security/faq

Package : apt
CVE ID : CVE-2016-1252

Jann Horn of Google Project Zero discovered that APT, the high level
package manager, does not properly handle errors when validating
signatures on InRelease files. An attacker able to man-in-the-middle
HTTP requests to an apt repository that uses InRelease files
(clearsigned Release files), can take advantage of this flaw to
circumvent the signature of the InRelease file, leading to arbitrary
code execution.

For the stable distribution (jessie), this problem has been fixed in
version 1.0.9.8.4.

For the unstable distribution (sid), this problem has been fixed in
version 1.4~beta2.

We recommend that you upgrade your apt packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian8armhfapt-transport-https< 1.0.9.8.4apt-transport-https_1.0.9.8.4_armhf.deb
Debian8s390xapt< 1.0.9.8.4apt_1.0.9.8.4_s390x.deb
Debian8arm64apt-utils< 1.0.9.8.4apt-utils_1.0.9.8.4_arm64.deb
Debian8i386libapt-inst1.5< 1.0.9.8.4libapt-inst1.5_1.0.9.8.4_i386.deb
Debian8armellibapt-pkg4.12< 1.0.9.8.4libapt-pkg4.12_1.0.9.8.4_armel.deb
Debian8kfreebsd-amd64libapt-pkg4.12< 1.0.9.8.4libapt-pkg4.12_1.0.9.8.4_kfreebsd-amd64.deb
Debian8kfreebsd-i386libapt-pkg4.12< 1.0.9.8.4libapt-pkg4.12_1.0.9.8.4_kfreebsd-i386.deb
Debian8mipsapt-transport-https< 1.0.9.8.4apt-transport-https_1.0.9.8.4_mips.deb
Debian8armellibapt-pkg-dev< 1.0.9.8.4libapt-pkg-dev_1.0.9.8.4_armel.deb
Debian8armhflibapt-pkg4.12< 1.0.9.8.4libapt-pkg4.12_1.0.9.8.4_armhf.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	armhf	apt-transport-https	< 1.0.9.8.4	apt-transport-https_1.0.9.8.4_armhf.deb
Debian	8	s390x	apt	< 1.0.9.8.4	apt_1.0.9.8.4_s390x.deb
Debian	8	arm64	apt-utils	< 1.0.9.8.4	apt-utils_1.0.9.8.4_arm64.deb
Debian	8	i386	libapt-inst1.5	< 1.0.9.8.4	libapt-inst1.5_1.0.9.8.4_i386.deb
Debian	8	armel	libapt-pkg4.12	< 1.0.9.8.4	libapt-pkg4.12_1.0.9.8.4_armel.deb
Debian	8	kfreebsd-amd64	libapt-pkg4.12	< 1.0.9.8.4	libapt-pkg4.12_1.0.9.8.4_kfreebsd-amd64.deb
Debian	8	kfreebsd-i386	libapt-pkg4.12	< 1.0.9.8.4	libapt-pkg4.12_1.0.9.8.4_kfreebsd-i386.deb
Debian	8	mips	apt-transport-https	< 1.0.9.8.4	apt-transport-https_1.0.9.8.4_mips.deb
Debian	8	armel	libapt-pkg-dev	< 1.0.9.8.4	libapt-pkg-dev_1.0.9.8.4_armel.deb
Debian	8	armhf	libapt-pkg4.12	< 1.0.9.8.4	libapt-pkg4.12_1.0.9.8.4_armhf.deb