CVE Vulnerabilities

CVE-2015-1330

Improper Authentication

Published: Jul 01, 2015 | Modified: Sep 22, 2017
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
6.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vectors.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Ubuntu_linux Canonical 12.04 (including) 12.04 (including)
Ubuntu_linux Canonical 14.04 (including) 14.04 (including)
Ubuntu_linux Canonical 14.10 (including) 14.10 (including)
Ubuntu_linux Canonical 15.04 (including) 15.04 (including)
Unattended-upgrades Ubuntu devel *
Unattended-upgrades Ubuntu precise *
Unattended-upgrades Ubuntu trusty *
Unattended-upgrades Ubuntu utopic *
Unattended-upgrades Ubuntu vivid *
Unattended-upgrades Ubuntu vivid/stable-phone-overlay *

Potential Mitigations

References