group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1812353] Re: content injection in http method (CVE-2019-3462)

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1812353@xxxxxxxxxxxxxxxxxx>
Date: Tue, 22 Jan 2019 12:33:24 -0000
Reply-to: Bug 1812353 <1812353@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package apt - 1.6.6ubuntu0.1

---------------
apt (1.6.6ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: content injection in http method (CVE-2019-3462)
    (LP: #1812353)

 -- Julian Andres Klode <juliank@xxxxxxxxxx>  Fri, 18 Jan 2019 11:39:50
+0100

** Changed in: apt (Ubuntu Bionic)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1812353

Title:
  content injection in http method (CVE-2019-3462)

Status in apt package in Ubuntu:
  In Progress
Status in apt source package in Precise:
  New
Status in apt source package in Trusty:
  Fix Released
Status in apt source package in Xenial:
  Fix Released
Status in apt source package in Bionic:
  Fix Released
Status in apt source package in Cosmic:
  Fix Released
Status in apt source package in Disco:
  In Progress

Bug description:
  apt, starting with version 0.8.15, decodes target URLs of redirects,
  but does not check them for newlines, allowing MiTM attackers (or
  repository mirrors) to inject arbitrary headers into the result
  returned to the main process.

  If the URL embeds hashes of the supposed file, it can thus be used to
  disable any validation of the downloaded file, as the fake hashes will
  be prepended in front of the right hashes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1812353/+subscriptions