USN-4247-3

See a problem?
Source
https://ubuntu.com/security/notices/USN-4247-3
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/USN-4247-3.json
JSON Data
https://api.osv.dev/v1/vulns/USN-4247-3
Related
  • CVE-2019-15795
  • CVE-2019-15796
Published
2020-01-23T15:11:16.264619Z
Modified
2020-01-23T15:11:16.264619Z
Summary
python-apt vulnerabilities
Details

USN-4247-1 fixed several vulnerabilities in python-apt. This update provides the corresponding updates for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

It was discovered that python-apt would still use MD5 hashes to validate certain downloaded packages. If a remote attacker were able to perform a machine-in-the-middle attack, this flaw could potentially be used to install altered packages. (CVE-2019-15795)

It was discovered that python-apt could install packages from untrusted repositories, contrary to expectations. (CVE-2019-15796)

References

Affected packages

Ubuntu:Pro:14.04:LTS / python-apt

Package

Name
python-apt

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.9.3.5ubuntu3+esm2

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "python3-apt": "0.9.3.5ubuntu3+esm2",
            "python-apt-common": "0.9.3.5ubuntu3+esm2",
            "python-apt": "0.9.3.5ubuntu3+esm2",
            "python-apt-dev": "0.9.3.5ubuntu3+esm2",
            "python-apt-doc": "0.9.3.5ubuntu3+esm2"
        }
    ]
}