Yesterday, Ubuntu announced an unscheduled point release of its 16.04 LTS version for both its server and desktop products. The Ubuntu 16.04.6 version was developed as a patch for a major vulnerability that was found in the popular Debian-based OS.
The flaw allowed attackers to trick the operating systems Advanced Packaging Tool (APT) to install altered packages. Discovered by Max Justicz, certain parameters were handled incorrectly by the APT during redirects. This meant that if a MITM (Man-in-the-middle) attack was performed, attackers could potentially install altered packages.
This problem can be resolved by updating the operating system with the latest patched version. The version includes a number of other security updates for vulnerabilities with high impact and has been developed with a strong focus on maintaining both compatibility and stability with Ubuntu 16.04.
Lukasz Zemczak of Ubuntu said in his formal Ubuntu 16.04.6 release announcement, “Unlike previous point releases, 16.04.6 is a security-targeted release for the purpose of providing updated installation media which protects new installations from the recently discovered APT vulnerability (USN-3863-1).”
The Ubuntu 16.04.6 packages affected due to this vulnerability could behave unexpectedly and may not be what they say they are. The update aims to ensure that new installs are no longer susceptible to the bug and users remain protected from the get-go.
Ubuntu 16.04 is not the only version affected by this critical vulnerability. Versions 18.10, 18.04 and 14.04 LTS are also affected by it and are vulnerable to altered packages being installed by bad actors.