Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 436
Alerts This Week
Warning Icon 1 436

Ubuntu 14.10: USN-2566-1 Critical: Dpkg Signature Bypass Exploit

ubuntu
Calendar Grey April 9, 2015
Dist Ubuntu Esm H88
A recent dpkg flaw in Ubuntu could facilitate evasion of source package verification. It's critical to refresh your system to mitigate potential threats.
dpkg could be tricked into bypassing source package signature checks.

Summary

dpkg could be tricked into bypassing source package signature checks.

Software Description:

- dpkg: Debian package management system

Details:

Jann Horn discovered that dpkg incorrectly validated signatures when

extracting local source packages. If a user or an automated system were

tricked into unpacking a specially crafted source package, a remote

attacker could bypass signature verification checks.

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.10:
  libdpkg-perl                    1.17.13ubuntu1.1

Ubuntu 14.04 LTS:
  libdpkg-perl                    1.17.5ubuntu5.4

Ubuntu 12.04 LTS:
  libdpkg-perl                    1.16.1.2ubuntu7.6

Ubuntu 10.04 LTS:
  dpkg-dev                        1.15.5.6ubuntu4.10

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-2566-1

CVE-2015-0840

Severity
critical
Lowest
Low
Medium
High
Critical

April 09, 2015

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.