==========================================================================
Ubuntu Security Notice USN-4247-3
January 23, 2020
python-apt vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 14.04 ESM
– Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in python-apt.
Software Description:
– python-apt: Python interface to libapt-pkg
Details:
USN-4247-1 fixed several vulnerabilities in python-apt. This update
provides the corresponding updates for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.
Original advisory details:
It was discovered that python-apt would still use MD5 hashes to validate
certain downloaded packages. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could potentially be used to install
altered packages. (CVE-2019-15795)
It was discovered that python-apt could install packages from untrusted
repositories, contrary to expectations. (CVE-2019-15796)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
python-apt 0.9.3.5ubuntu3+esm2
python3-apt 0.9.3.5ubuntu3+esm2
Ubuntu 12.04 ESM:
python-apt 0.8.3ubuntu7.5
python3-apt 0.8.3ubuntu7.5
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4247-3
https://usn.ubuntu.com/4247-1
CVE-2019-15795, CVE-2019-15796
—–BEGIN PGP SIGNATURE—–
iQIzBAABCgAdFiEEf+ebRFcoyOoAQoOeRbznW4QLH2kFAl4pxf4ACgkQRbznW4QL
H2nioBAAoS9wE3iZxfXcdORME61zFMFU4n+bMwXUor3h1RXzPBavdykCNrrYQtnz
slwQDp4SAkhtWq+VPtM4kiSpo7n/jyCv9BdKZI02tfz2Elm9DTVyzRHf+bporD1g
gNkOi50Tbv72L9Jwv4mgW11wg6E4zhuUd63LuSwGcSWA0jS6JB2N+5G2HK7JTnd2
Oa0Cw/fn4ZF7DtA4LnRoM0S6nBxxSYlWdnpw1z4odaPu4KurlPMuaSLNupf2TRUD
9UEJUHbC0jfrvt7i5A4+95/Rcy/9fPhFXbkTmayd49KnHUURvI1dF6w0gadwfLPl
h71YF3wj42RBzUhf57aCYP861NlSYb4ADreWoe3j2zVSH0+IN7p9933OyY/E4Bc/
lkp75j9tBQoejaIpfwCYxLaQl4jZWKI3mpw9ReItGP2swzAxEAA3LULc4XCKwgrJ
oFghHuPmQtbP9NEuMZaoMfoLhS2wOtC9wwRgBHEEofzLqRI7D+Wzi5bIUan3gbzt
kgOvD4/KzOeaKBBCRcN1pM5VFUd+bIOziGa9QWYNbUodXS27ZkHmlK/Ye3IsS15h
wL0uB6YRfTqzUUTgxd5K+IZyr5HVQi66v811VRuUqKfLU/kXEuUiYnjo+5Ki7wUY
xJQLx/tRGlnMc4DcgAFNqa+KFPPkb13+ab/nLRjKACAO1SeqBYA=
=1URd
—–END PGP SIGNATURE—–
—