==========================================================================
Ubuntu Security Notice USN-4247-3
January 23, 2020

python-apt vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 14.04 ESM
– Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in python-apt.

Software Description:
– python-apt: Python interface to libapt-pkg

Details:

USN-4247-1 fixed several vulnerabilities in python-apt. This update
provides the corresponding updates for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

It was discovered that python-apt would still use MD5 hashes to validate
certain downloaded packages. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could potentially be used to install
altered packages. (CVE-2019-15795)

It was discovered that python-apt could install packages from untrusted
repositories, contrary to expectations. (CVE-2019-15796)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 ESM:
python-apt 0.9.3.5ubuntu3+esm2
python3-apt 0.9.3.5ubuntu3+esm2

Ubuntu 12.04 ESM:
python-apt 0.8.3ubuntu7.5
python3-apt 0.8.3ubuntu7.5

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4247-3
https://usn.ubuntu.com/4247-1
CVE-2019-15795, CVE-2019-15796
—–BEGIN PGP SIGNATURE—–

iQIzBAABCgAdFiEEf+ebRFcoyOoAQoOeRbznW4QLH2kFAl4pxf4ACgkQRbznW4QL
H2nioBAAoS9wE3iZxfXcdORME61zFMFU4n+bMwXUor3h1RXzPBavdykCNrrYQtnz
slwQDp4SAkhtWq+VPtM4kiSpo7n/jyCv9BdKZI02tfz2Elm9DTVyzRHf+bporD1g
gNkOi50Tbv72L9Jwv4mgW11wg6E4zhuUd63LuSwGcSWA0jS6JB2N+5G2HK7JTnd2
Oa0Cw/fn4ZF7DtA4LnRoM0S6nBxxSYlWdnpw1z4odaPu4KurlPMuaSLNupf2TRUD
9UEJUHbC0jfrvt7i5A4+95/Rcy/9fPhFXbkTmayd49KnHUURvI1dF6w0gadwfLPl
h71YF3wj42RBzUhf57aCYP861NlSYb4ADreWoe3j2zVSH0+IN7p9933OyY/E4Bc/
lkp75j9tBQoejaIpfwCYxLaQl4jZWKI3mpw9ReItGP2swzAxEAA3LULc4XCKwgrJ
oFghHuPmQtbP9NEuMZaoMfoLhS2wOtC9wwRgBHEEofzLqRI7D+Wzi5bIUan3gbzt
kgOvD4/KzOeaKBBCRcN1pM5VFUd+bIOziGa9QWYNbUodXS27ZkHmlK/Ye3IsS15h
wL0uB6YRfTqzUUTgxd5K+IZyr5HVQi66v811VRuUqKfLU/kXEuUiYnjo+5Ki7wUY
xJQLx/tRGlnMc4DcgAFNqa+KFPPkb13+ab/nLRjKACAO1SeqBYA=
=1URd
—–END PGP SIGNATURE—–
—