Test ID:	1.3.6.1.4.1.25623.1.0.71015
Category:	Ubuntu Local Security Checks
Title:	Ubuntu USN-1284-1 (update-manager)
Summary:	NOSUMMARY
Description:	Description: The remote host is missing an update to update-manager announced via advisory USN-1284-1. Details: David Black discovered that Update Manager incorrectly extracted the downloaded upgrade tarball before verifying its GPG signature. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to replace arbitrary files. (CVE-2011-3152) David Black discovered that Update Manager created a temporary directory in an insecure fashion. A local attacker could possibly use this flaw to read the XAUTHORITY file of the user performing the upgrade. (CVE-2011-3154) This update also adds a hotfix to Update Notifier to handle cases where the upgrade is being performed from CD media. Solution: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: update-manager 1:0.152.25.5 Ubuntu 11.04: update-manager 1:0.150.5.1 update-notifier 0.111ubuntu2.1 Ubuntu 10.10: update-manager 1:0.142.23.1 update-notifier 0.105ubuntu1.1 Ubuntu 10.04 LTS: auto-upgrade-tester 1:0.134.11.1 update-notifier 0.99.3ubuntu0.1 Ubuntu 8.04 LTS: update-manager 1:0.87.31.1 http://www.securityspace.com/smysecure/catid.html?in=USN-1284-1
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2011-3152 BugTraq ID: 50833 http://www.securityfocus.com/bid/50833 http://www.osvdb.org/77642 http://secunia.com/advisories/47024 http://www.ubuntu.com/usn/USN-1284-1 XForce ISS Database: ubuntu-update-gpg-sec-bypass(71494) https://exchange.xforce.ibmcloud.com/vulnerabilities/71494 Common Vulnerability Exposure (CVE) ID: CVE-2011-3154
Copyright	Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.