Arch Linux Security Advisory ASA-201507-23 ========================================== Severity: High Date : 2015-07-29 CVE-ID : None Package : pacman Type : silent downgrade Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package pacman before version 4.2.1-2 is vulnerable to silent downgrade via a man-in-the-middle attack. Resolution ========== Upgrade to 4.2.1-2. # pacman -Syu "pacman>=4.2.1-2" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== A flaw has been discovered in pacman that is leading to possible silent package downgrade when exploited. While loading each package it was not ensured that the internal version matches the expected database version, leading to the possibility to circumvent the version check. This issue can be used by an attacker to trick the software into installing an older version. This behavior can be exploited by a man-in-the-middle attack through specially crafted database tarball containing a higher version, yet actually delivering an older and vulnerable version, which was previously shipped. Impact ====== A remote attacker able to perform a man-in-the-middle attack is able to make use of a specially crafted database tarball to silently install an older and vulnerable version of a previously shipped package. References ========== https://lists.archlinux.org/pipermail/pacman-dev/2015-July/020238.html https://bugs.archlinux.org/task/45687