unattended-upgrades before 0.86.1 does not properly authenticate packages
when the (1) force-confold or (2) force-confnew dpkg options are enabled in
the DPkg::Options::* apt configuration, which allows remote
man-in-the-middle attackers to upload and execute arbitrary packages via
unspecified vectors.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 12.04 | noarch | unattended-upgrades | < 0.76ubuntu1.1 | UNKNOWN |
ubuntu | 14.04 | noarch | unattended-upgrades | < 0.82.1ubuntu2.3 | UNKNOWN |
ubuntu | 14.10 | noarch | unattended-upgrades | < 0.82.8ubuntu0.3 | UNKNOWN |
ubuntu | 15.04 | noarch | unattended-upgrades | < 0.83.6ubuntu1 | UNKNOWN |