Severity
High
Vendor
Canonical Ubuntu
Versions Affected
Canonical Ubuntu 14.04 LTS
Description
Jann Horn discovered that APT incorrectly handled InRelease files. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages.
Affected Cloud Foundry Products and Versions
Severity is high unless otherwise noted.
- Cloud Foundry BOSH stemcells are vulnerable, including:
- All versions prior to 3151.6
- 3233.x versions prior to 3233.8
- 3263.x versions prior to 3263.13
- 3312.x versions prior to 3312.8
- All other versions
- All versions of Cloud Foundry cflinuxfs2 prior to v.1.94.0
Mitigation
OSS users are strongly encouraged to follow one of the mitigations below:
- The Cloud Foundry team recommends upgrading to the following BOSH stemcells:
- Upgrade all lower versions of 3151.x to version 3151.5
- Upgrade all lower versions of 3233.x to version 3233.6
- Upgrade all lower versions of 3263.x to version 3263.12
- Upgrade all lower versions of 3312.x to version 3312.7
- The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.92.0 or later versions.
Credit
Jann Horn
References
History
2016-12-20: Initial vulnerability report published
