Security researcher Georgi Guninski publicised his findings on the Full Disclosure security, which affect all versions of the Ubuntu Linux distribution and their derivatives but not the upstream Debian distribution on which it is based.

Guninski explains:

“It is trivial to generate a GPG key with key ID [matching the master key,]” 

He offered details on how to create a signing key that could be used in a man-in-the-middle attack.

This is a critical security flaw as an attacker could potentially trick a remote Ubuntu system to install arbitrary code disguised as valid updates for installed pack by issuing an invalid key update.

Ubuntu Team is working on this issue and has not indicated a time scale for the patch’s release yet.

Ubuntu Official Website:

Source: thinq