6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
6.3 Medium
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
49.6%
David Black discovered that Update Manager incorrectly extracted the
downloaded upgrade tarball before verifying its GPG signature. If a remote
attacker were able to perform a machine-in-the-middle attack, this flaw could
potentially be used to replace arbitrary files. (CVE-2011-3152)
David Black discovered that Update Manager created a temporary directory
in an insecure fashion. A local attacker could possibly use this flaw to
read the XAUTHORITY file of the user performing the upgrade.
(CVE-2011-3154)
This update also adds a hotfix to Update Notifier to handle cases where the
upgrade is being performed from CD media.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Ubuntu | 8.04 | noarch | update-manager | <ย 1:0.87.31.1 | UNKNOWN |
Ubuntu | 8.04 | noarch | update-manager-core | <ย 1:0.87.31.1 | UNKNOWN |
Ubuntu | 11.10 | noarch | update-manager | <ย 1:0.152.25.5 | UNKNOWN |
Ubuntu | 11.10 | noarch | update-manager-core | <ย 1:0.152.25.5 | UNKNOWN |
Ubuntu | 11.04 | noarch | update-manager | <ย 1:0.150.5.1 | UNKNOWN |
Ubuntu | 11.04 | noarch | update-manager-core | <ย 1:0.150.5.1 | UNKNOWN |
Ubuntu | 11.04 | noarch | update-notifier | <ย 0.111ubuntu2.1 | UNKNOWN |
Ubuntu | 10.10 | noarch | update-manager | <ย 1:0.142.23.1 | UNKNOWN |
Ubuntu | 10.10 | noarch | update-manager-core | <ย 1:0.142.23.1 | UNKNOWN |
Ubuntu | 10.10 | noarch | update-notifier | <ย 0.105ubuntu1.1 | UNKNOWN |