USN-2353-1: APT vulnerability

23 September 2014

APT could be made to crash or run programs if it received specially crafted network traffic.

Releases

Packages

  • apt - Advanced front-end for dpkg

Details

It was discovered that APT incorrectly handled certain http URLs. If a
remote attacker were able to perform a man-in-the-middle attack, this flaw
could be exploited to cause APT to crash, resulting in a denial of service,
or possibly execute arbitrary code. The default compiler options for
affected releases should reduce the vulnerability to a denial of service.
(CVE-2014-6273)

In addition, this update fixes regressions introduced by the USN-2348-1
security update: APT incorrectly handled file:/// sources on a different
partition, incorrectly handled Dir::state::lists set to a relative path,
and incorrectly handled cdrom: sources.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04
Ubuntu 12.04
Ubuntu 10.04

In general, a standard system update will make all the necessary changes.

References