software-properties incorrectly validated TLS certificates
CVE-2012-0955

6.8MEDIUM

Key Information:

Vendor: Canonical
Status: Software-properties
Vendor: CVE Published:; 2 December 2020

Summary

software-properties was vulnerable to a person-in-the-middle attack due to incorrect TLS certificate validation in softwareproperties/ppa.py. software-properties didn't check TLS certificates under python2 and only checked certificates under python3 if a valid certificate bundle was provided. Fixed in software-properties version 0.92.

Affected Version(s)

software-properties 0.92

References

https://launchpad.net/bugs/1036839

vendor-advisoryx_refsource_UBUNTU

https://code.launchpad.net/~cyphermox/software-properties...

vendor-advisoryx_refsource_UBUNTU

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 2, 2020
Vulnerability Reserved
Feb 1, 2012

Credit

Marc Deslauriers