Your submission was sent successfully! Close

CVE-2016-1252

Published: 13 December 2016

The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures.

Priority

High

CVSS 3 base score: 5.9

Status

Package Release Status
apt
Launchpad, Ubuntu, Debian
precise Not vulnerable
(InRelease file splitting code is not present)
trusty
Released (1.0.1ubuntu2.17)
upstream Needs triage

xenial
Released (1.2.15ubuntu0.2)
yakkety
Released (1.3.2ubuntu0.1)
zesty
Released (1.4~beta2)