This bug was fixed in the package apt - 1.7.0~alpha3
---------------
apt (1.7.0~alpha3) experimental; urgency=medium
[ David Kalnischkies ]
* SECURITY UPDATE: Fallback in the mirror method allowed a later server to
supply any InRelease file without it having to be verified. (LP: #1787752)
- apt-pkg/acquire-item.cc:: clear alternative URIs for mirror:// between
steps
- CVE-2018-0501
- https://mirror.fail/
[ Jean-Ralph Aviles ]
* Add trailing newline to output of edit-sources.
[ Julian Andres Klode ]
* Add support for dpkg frontend lock (Closes: #869546)
* Set DPKG_FRONTEND_LOCKED as needed when doing selection changes
* Update symbols files
[ Boyuan Yang ]
* Simplified Chinese program translation update (Closes: #903695)
[ David Kalnischkies ]
* Report (soon) worthless keys if gpg uses fpr for GOODSIG
-- Julian Andres Klode <j...@debian.org> Mon, 20 Aug 2018 17:44:19
+0200
** Changed in: apt (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1787752
Title:
mirror.fail - security issue in mirror:// - CVE-2018-0501
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1787752/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
