CVE-2016-1252

Published: 13 December 2016

The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures.

Priority

High

CVSS 3 base score: 5.9

Status

Package Release Status
apt
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 LTS (Xenial Xerus)
Released (1.2.15ubuntu0.2)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.0.1ubuntu2.17)
Ubuntu 12.04 ESM (Precise Pangolin) Not vulnerable
(InRelease file splitting code is not present)