CVE-2011-3152
First published: Sun Apr 27 2014(Updated: )
DistUpgrade/DistUpgradeFetcherCore.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 on Ubuntu 8.04 through 11.10 does not verify the GPG signature before extracting an upgrade tarball, which allows man-in-the-middle attackers to (1) create or overwrite arbitrary files via a directory traversal attack using a crafted tar file, or (2) bypass authentication via a crafted meta-release file.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Canonical Ubuntu Linux | =10.10 | |
| Canonical Ubuntu Linux | =8.04 | |
| Canonical Ubuntu Linux | =11.04 | |
| Canonical Update-manager | =1\-0.152.25 | |
| Canonical Ubuntu Linux | =11.10 | |
| Canonical Update-manager | <=1\:0.87.24 | |
| Canonical Update-manager | =1\-0.134.7 | |
| Canonical Update-manager | =1\-0.142.19 | |
| Canonical Update-manager | =1\-0.150 | |
| Canonical Ubuntu Linux | =10.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/nvd-historical
- collector/nvd-index
- agent/references
- agent/severity
- agent/author
- agent/weakness
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/type
- agent/event
- agent/description
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/10.10
- version/canonical ubuntu linux/8.04
- version/canonical ubuntu linux/11.04
- canonical/canonical update-manager
- version/canonical update-manager/1\-0.152.25
- version/canonical ubuntu linux/11.10
- version/canonical update-manager/1\:0.87.24
- version/canonical update-manager/1\-0.134.7
- version/canonical update-manager/1\-0.142.19
- version/canonical update-manager/1\-0.150
- version/canonical ubuntu linux/10.04