CVE-2011-3152
First published: Sun Apr 27 2014(Updated: )
DistUpgrade/DistUpgradeFetcherCore.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 on Ubuntu 8.04 through 11.10 does not verify the GPG signature before extracting an upgrade tarball, which allows man-in-the-middle attackers to (1) create or overwrite arbitrary files via a directory traversal attack using a crafted tar file, or (2) bypass authentication via a crafted meta-release file.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ubuntu Update Manager | <=1\:0.87.24 | |
| Ubuntu Update Manager | =1\-0.134.7 | |
| Ubuntu Update Manager | =1\-0.142.19 | |
| Ubuntu Update Manager | =1\-0.150 | |
| Ubuntu Update Manager | =1\-0.152.25 | |
| Ubuntu Linux | =8.04 | |
| Ubuntu Linux | =10.04 | |
| Ubuntu Linux | =10.10 | |
| Ubuntu Linux | =11.04 | |
| Ubuntu Linux | =11.10 | |
| Ubuntu | =10.10 | |
| Ubuntu | =8.04 | |
| Ubuntu | =11.04 | |
| Ubuntu | =11.10 | |
| Ubuntu | =10.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2011-3152?
CVE-2011-3152 has a medium severity rating due to its potential for unauthorized code execution during the update process.
How do I fix CVE-2011-3152?
To fix CVE-2011-3152, update the Update Manager to version 1:0.87.31.1 or later for affected Ubuntu distributions.
Which versions of Ubuntu are affected by CVE-2011-3152?
CVE-2011-3152 affects Ubuntu versions 8.04 through 11.10 that utilize specific versions of the Update Manager.
What kind of vulnerability is CVE-2011-3152?
CVE-2011-3152 is a security vulnerability that relates to GPG signature verification failure during update extractions.
Is there a workaround for CVE-2011-3152?
There are no recommended workarounds for CVE-2011-3152; updating to a secure version is the best course of action.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- vendor/canonical
- canonical/ubuntu update manager
- version/ubuntu update manager/1\:0.87.24
- version/ubuntu update manager/1\-0.134.7
- version/ubuntu update manager/1\-0.142.19
- version/ubuntu update manager/1\-0.150
- version/ubuntu update manager/1\-0.152.25
- canonical/ubuntu linux
- version/ubuntu linux/8.04
- version/ubuntu linux/10.04
- version/ubuntu linux/10.10
- version/ubuntu linux/11.04
- version/ubuntu linux/11.10
- canonical/ubuntu
- version/ubuntu/10.10
- version/ubuntu/8.04
- version/ubuntu/11.04
- version/ubuntu/11.10
- version/ubuntu/10.04