Vulnerability Description
The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Canonical | Ubuntu Linux | 18.04 |
| Debian | Advanced Package Tool | >= 1.6.0, < 1.6.4 |
Related Weaknesses (CWE)
References
- https://mirror.failThird Party AdvisoryURL Repurposed
- https://salsa.debian.org/apt-team/apt/commit/29658a3a74af49e2a24e17bdebb20e1612aPatchThird Party Advisory
- https://salsa.debian.org/apt-team/apt/commit/aebd4278bacc728ab00ebe31556983e140fPatchThird Party Advisory
- https://usn.ubuntu.com/3746-1/Third Party Advisory
- https://mirror.failThird Party AdvisoryURL Repurposed
- https://salsa.debian.org/apt-team/apt/commit/29658a3a74af49e2a24e17bdebb20e1612aPatchThird Party Advisory
- https://salsa.debian.org/apt-team/apt/commit/aebd4278bacc728ab00ebe31556983e140fPatchThird Party Advisory
- https://usn.ubuntu.com/3746-1/Third Party Advisory
FAQ
What is CVE-2018-0501?
CVE-2018-0501 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, a...
How severe is CVE-2018-0501?
CVE-2018-0501 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-0501?
Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Debian Advanced Package Tool.