touch-packages team mailing list archive

[Launchpad Bug Tracker <1466380@xxxxxxxxxxxxxxxxxx>]

This bug was fixed in the package unattended-upgrades - 0.86.1

---------------
unattended-upgrades (0.86.1) unstable; urgency=medium

  * fix missing package authentication check for apt
     configurations that force-{confold,confnew} (CVE-2015-1330)
     LP: #1466380

 -- Michael Vogt <mvo@xxxxxxxxxx>  Mon, 29 Jun 2015 19:28:06 +0200

** Changed in: unattended-upgrades (Ubuntu Wily)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1466380

Title:
  No authentication check if DPkg::Options::", "--force-confold" is set
  in apt conf

Status in unattended-upgrades package in Ubuntu:
  Fix Released
Status in unattended-upgrades source package in Precise:
  Fix Released
Status in unattended-upgrades source package in Trusty:
  Fix Released
Status in unattended-upgrades source package in Utopic:
  Fix Released
Status in unattended-upgrades source package in Vivid:
  Fix Released
Status in unattended-upgrades source package in Wily:
  Fix Released

Bug description:
  While doing code inspection I noticed that under certain circumstances
  unattended-upgrades will not perform a authentication check for the
  package it downloads. The trust for packages is checked in line 1242
  of the code, but that code only gets executed if
  dpkg_conffile_prompt() returns True.

  Attached is a patch against master with a fix and a test. This needs
  to be coordinated with debian and added to all our releases. I will
  prepare debdiffs.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1466380/+subscriptions