Description
ppa.py in Software Properties before 0.81.13.3 does not validate the server certificate when downloading PPA GPG key fingerprints, which allows man-in-the-middle (MITM) attackers to spoof GPG keys for a package repository.
References (2)
Core 2
Core References
Issue Tracking x_refsource_confirm
https://bugs.launchpad.net/ubuntu/%2Bsource/software-properties/%2Bbug/915210
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1352-1
Scores
EPSS
0.0063
EPSS Percentile
46.1%
Details
CWE
CWE-20
Status
published
Products (5)
canonical/software-properties
< 0.81.13.1
canonical/ubuntu_linux
10.04
canonical/ubuntu_linux
10.10
canonical/ubuntu_linux
11.04
canonical/ubuntu_linux
11.10
Published
May 14, 2014
Tracked Since
Feb 18, 2026