(__) 
                 (oo) 
           /------\/ 
          / |    ||   
         *  /\---/\ 
            ~~   ~~   
..."I did not see that coming"...

In APT 1.6, the mirror method (mirror://) was reworked. It turned out there's a problem in the rework: When a mirror fails, apt falls back to the next one. However, it did not verify signatures of the InRelease file for the fallback - the successful fallback stood in for the gpg verification of the initial mirror.

Am I affected?

Affected versions

APT 1.6 series, starting at 1.6~alpha6. Fixed in 1.6.3ubuntu0.1 and 1.6.4.

APT 1.7 series (alphas), before 1.7.0~alpha3.

OS releases: Debian testing/unstable, experimental; Ubuntu 18.04, cosmic

Attack scenario

Timeline

Upgrading

It is highly recommended to replace any mirror:// and (mirror+http, etc) entries with standard http:// entries before performing the upgrade, especially if in an uncontrolled network.

                 (__)  
         _______~(..)~ 
           ,----\(oo) 
          /|____|,'    
         * /"\ /\   
           ~ ~ ~ ~     
..."Upgrade now!"...