Georgi Guninski discovered that APT relied on GnuPG argument order and did
not check GPG subkeys when validating imported keyrings via apt-key
net-update. While it appears that a machine-in-the-middle attacker cannot
exploit this, as a hardening measure this update adjusts apt-key to
validate all subkeys when checking for key collisions.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Ubuntu | 8.04 | noarch | apt | < 0.7.9ubuntu17.5 | UNKNOWN |
Ubuntu | 8.04 | noarch | apt-transport-https | < 0.7.9ubuntu17.5 | UNKNOWN |
Ubuntu | 8.04 | noarch | apt-utils | < 0.7.9ubuntu17.5 | UNKNOWN |
Ubuntu | 8.04 | noarch | libapt-pkg-dev | < 0.7.9ubuntu17.5 | UNKNOWN |
Ubuntu | 12.04 | noarch | apt | < 0.8.16~exp12ubuntu10.1 | UNKNOWN |
Ubuntu | 12.04 | noarch | apt-transport-https | < 0.8.16~exp12ubuntu10.1 | UNKNOWN |
Ubuntu | 12.04 | noarch | apt-utils | < 0.8.16~exp12ubuntu10.1 | UNKNOWN |
Ubuntu | 12.04 | noarch | libapt-inst1.4 | < 0.8.16~exp12ubuntu10.1 | UNKNOWN |
Ubuntu | 12.04 | noarch | libapt-pkg-dev | < 0.8.16~exp12ubuntu10.1 | UNKNOWN |
Ubuntu | 12.04 | noarch | libapt-pkg4.12 | < 0.8.16~exp12ubuntu10.1 | UNKNOWN |