CERTA-2012-AVI-048
Vulnerability from certfr_avis
Une vulnérabilité présente dans Software Properties peut être utilisée par un attaquant afin d'installer des clés PPA GPG arbitraires.
Description
Une vulnérabilité existe dans le processus de validation du certificat serveur de Software Properties. Elle permet à un utilisateur distant malintentionné d'effectuer une attaque de type homme du milieu (man-in-the-middle) provoquant alors l'installation de clés GPG arbitraires.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ubuntu 10.10 ;",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 11.10 ;",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 11.04 ;",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 10.04 LTS.",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Description\n\nUne vuln\u00e9rabilit\u00e9 existe dans le processus de validation du certificat\nserveur de Software Properties. Elle permet \u00e0 un utilisateur distant\nmalintentionn\u00e9 d\u0027effectuer une attaque de type homme du milieu\n(man-in-the-middle) provoquant alors l\u0027installation de cl\u00e9s GPG\narbitraires.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2011-4407",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-4407"
}
],
"initial_release_date": "2012-02-01T00:00:00",
"last_revision_date": "2012-02-01T00:00:00",
"links": [
{
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-1352-1 du 30 janvier 2012 :",
"url": "http://www.ubuntu.com/usn/usn-1352-1/"
}
],
"reference": "CERTA-2012-AVI-048",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2012-02-01T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 pr\u00e9sente dans \u003cspan class=\"textit\"\u003eSoftware\nProperties\u003c/span\u003e peut \u00eatre utilis\u00e9e par un attaquant afin d\u0027installer\ndes cl\u00e9s PPA GPG arbitraires.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Ubuntu Software Properties",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-1352-1 du 31 janvier 2012",
"url": null
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…