{ "CVE_data_meta" : { "ASSIGNER" : "security@debian.org", "ID" : "CVE-2018-0501", "STATE" : "PUBLIC" }, "affects" : { "vendor" : { "vendor_data" : [ { "product" : { "product_data" : [ { "product_name" : "APT 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3", "version" : { "version_data" : [ { "version_value" : "APT 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3" } ] } } ] }, "vendor_name" : "n/a" } ] } }, "data_format" : "MITRE", "data_type" : "CVE", "data_version" : "4.0", "description" : { "description_data" : [ { "lang" : "eng", "value" : "The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail." } ] }, "problemtype" : { "problemtype_data" : [ { "description" : [ { "lang" : "eng", "value" : "lack of signature verification" } ] } ] }, "references" : { "reference_data" : [ { "name" : "https://mirror.fail", "refsource" : "MISC", "url" : "https://mirror.fail" }, { "name" : "https://salsa.debian.org/apt-team/apt/commit/29658a3a74af49e2a24e17bdebb20e1612aac3ec", "refsource" : "MISC", "url" : "https://salsa.debian.org/apt-team/apt/commit/29658a3a74af49e2a24e17bdebb20e1612aac3ec" }, { "name" : "https://salsa.debian.org/apt-team/apt/commit/aebd4278bacc728ab00ebe31556983e140f60e47", "refsource" : "MISC", "url" : "https://salsa.debian.org/apt-team/apt/commit/aebd4278bacc728ab00ebe31556983e140f60e47" }, { "name" : "USN-3746-1", "refsource" : "UBUNTU", "url" : "https://usn.ubuntu.com/3746-1/" } ] } }