Ubuntu Update For Apt USN-2348-1 Network Vulnerability

Solution

Please Install the Updated Packages.

Insight

It was discovered that APT did not re-verify downloaded files when the If-Modified-Since wasn't met. (CVE-2014-0487) It was discovered that APT did not invalidate repository data when it switched from an unauthenticated to an authenticated state. (CVE-2014-0488) It was discovered that the APT Acquire::GzipIndexes option caused APT to skip checksum validation. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS, and was not enabled by default. (CVE-2014-0489) It was discovered that APT did not correctly validate signatures when downloading source packages using the download command. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-0490)

Affected

apt on Ubuntu 14.04 LTS , Ubuntu 12.04 LTS , Ubuntu 10.04 LTS

References

https://lists.ubuntu.com/archives/ubuntu-security-announce/2014-September/002661.html

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-0487, CVE-2014-0488, CVE-2014-0489, CVE-2014-0490

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Ubuntu Update for apt USN-2348-1

Take action and discover your vulnerabilities