PT-2016-4672 · Canonical+1 · Ubuntu+1
Jann Horn
·
Published
2016-12-13
·
Updated
2026-05-04
·
CVE-2016-1252
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Debian versions prior to 1.0.9.8.4
Debian unstable versions prior to 1.4~beta2
Ubuntu 14.04 LTS versions prior to 1.0.1ubuntu2.17
Ubuntu 16.04 LTS versions prior to 1.2.15ubuntu0.2
Ubuntu 16.10 versions prior to 1.3.2ubuntu0.1
Description
The issue allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures.
Recommendations
For Debian versions prior to 1.0.9.8.4, update to version 1.0.9.8.4 or later.
For Debian unstable versions prior to 1.4beta2, update to version 1.4beta2 or later.
For Ubuntu 14.04 LTS versions prior to 1.0.1ubuntu2.17, update to version 1.0.1ubuntu2.17 or later.
For Ubuntu 16.04 LTS versions prior to 1.2.15ubuntu0.2, update to version 1.2.15ubuntu0.2 or later.
For Ubuntu 16.10 versions prior to 1.3.2ubuntu0.1, update to version 1.3.2ubuntu0.1 or later.
Exploit
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Ubuntu