GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Fri Jul 10, 2015 4:26 pm Post subject: [ GLSA 201507-16 ] Portage |
|
|
Gentoo Linux Security Advisory
Title: Portage: Man-in-the-middle attack (GLSA 201507-16)
Severity: normal
Exploitable: remote
Date: July 10, 2015
Bug(s): #469888
ID: 201507-16
Synopsis
A vulnerability in Portage's urlopen function could allow a remote
attacker to conduct a man-in-the-middle attack.
Background
Portage is the package management and distribution system for Gentoo.
Affected Packages
Package: sys-apps/portage
Vulnerable: < 2.1.12.2
Unaffected: >= 2.1.12.2
Architectures: All supported architectures
Description
Portage does not verify X.509 SSL certificates properly if HTTPS is
used.
Impact
A remote attacker can spoof servers and modify binary package lists via
specially crafted certificates.
Workaround
There is no known workaround at this time.
Resolution
All Portage users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/portage-2.1.12.2"
|
References
CVE-2013-2100 |
|