CVE 2011-4407
ppa.py in Software Properties before 0.81.13.3 does not validate the server certificate when downloading PPA GPG key fingerprints, which allows man-in-the-middle (MITM) attackers to spoof GPG keys for a package repository.
Related bugs and status
CVE-2011-4407 (Candidate) is related to these bugs:
Bug #502698: 'urlopen error' using add-apt-repository
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 502698 | 'urlopen error' using add-apt-repository | software-properties (Ubuntu) | Low | Fix Released | ||
Bug #620098: Manual page for 'add-apt-repository' is not accessible via the name 'apt-add-repository'
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 620098 | Manual page for 'add-apt-repository' is not accessible via the name 'apt-add-repository' | software-properties (Ubuntu) | Low | Fix Released | ||
Bug #652523: Revert and Remove have duplicate keyboard accelerators in Sources->Other Software tab
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 652523 | Revert and Remove have duplicate keyboard accelerators in Sources->Other Software tab | software-properties (Ubuntu) | Low | Fix Released | ||
Bug #854841: add-apt-repository will write duplicate entries to /etc/apt/sources.list
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 854841 | add-apt-repository will write duplicate entries to /etc/apt/sources.list | software-properties (Ubuntu) | Low | Fix Released | ||
Bug #888417: adding ppa in software sources does not retrieve pgp key
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 888417 | adding ppa in software sources does not retrieve pgp key | software-properties (Ubuntu) | Undecided | Fix Released | ||
| 888417 | adding ppa in software sources does not retrieve pgp key | One Hundred Papercuts | Medium | Fix Released | ||
| 888417 | adding ppa in software sources does not retrieve pgp key | software-properties (Ubuntu Oneiric) | Undecided | Won't Fix | ||
| 888417 | adding ppa in software sources does not retrieve pgp key | software-properties (Ubuntu Precise) | Undecided | Fix Released | ||
Bug #912557: Spacing between checkboxes in "Ubuntu Software" tab increases when window height is increased
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 912557 | Spacing between checkboxes in "Ubuntu Software" tab increases when window height is increased | software-properties (Ubuntu) | Low | Fix Released | ||
Bug #915210: apt-add-repository does not perform ssl verification where it *needs* to
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 915210 | apt-add-repository does not perform ssl verification where it *needs* to | software-properties (Ubuntu) | High | Fix Released | ||
| 915210 | apt-add-repository does not perform ssl verification where it *needs* to | software-properties (Ubuntu Lucid) | High | Fix Released | ||
| 915210 | apt-add-repository does not perform ssl verification where it *needs* to | software-properties (Ubuntu Maverick) | High | Fix Released | ||
| 915210 | apt-add-repository does not perform ssl verification where it *needs* to | software-properties (Ubuntu Natty) | High | Fix Released | ||
| 915210 | apt-add-repository does not perform ssl verification where it *needs* to | software-properties (Ubuntu Precise) | High | Fix Released | ||
| 915210 | apt-add-repository does not perform ssl verification where it *needs* to | software-properties (Ubuntu Oneiric) | High | Fix Released | ||
Bug #1036839: Quantal software-properties incorrectly validating ssl certs
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1036839 | Quantal software-properties incorrectly validating ssl certs | software-properties (Ubuntu) | High | Fix Released | ||
See the 
CVE page on Mitre.org
for more details.
