USN-8249-1: dpkg vulnerability

Yashashree Gund discovered that the dpkg dpkg-deb tool incorrectly handled certain zstd-compressed .deb archives. If a user or automated system were tricked into manipulating a specially crafted .deb archive, a remote attacker could possibly use this issue to cause dpkg-deb to stop responding,...

pip Vulnerable to Inclusion of Functionality from Untrusted Control Sphere

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run...

CVE-2026-2219

It was discovered that dpkg-deb a component of dpkg, the Debian package management system does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service infinite loop spinning the CPU...

Fedora 43 : apt / python-apt (2026-1c47e433df)

The remote Fedora 43 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-1c47e433df advisory. Update to latest upstream release apt 3.1.15 and python-apt 3.1.0 ---- Update to latest upstream release apt 3.1.15, also fix build problem with previous...

Malicious code in tool-rocket-impulse-dotenv (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector da69e02ea1de6c0283031e9f19b73ff166dcc8006bfd5f7ab0b19b6d484ba878 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-106478 Malicious code in obedient_spider-tool (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8aee542d232e9f5c9d2beb292c437f0a5f7f511e31a2d94a2f00fdecedb101d8 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-94197 Malicious code in elderly_fish_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5ad3930a467356e1d252bd1a3dbda398c7f4b4d43e671c73989352cc365761ea This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in dian-tapai77-breki (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f95259dafb41e84ec9f9f031746bc1e243f93a43df0bedf39e1d384df7988aca The package dian-tapai77-breki was found to contain malicious code. This package appears to be part of the tea.xyz token reward campaign that flooded...

EUVD-2018-1323

Malware in sbrugna...

USN-7768-1 dpkg vulnerability

It was discovered that dpkg incorrectly handled removing certain temporary directories. An attacker could possibly use this issue to consume disk space, leading to a denial of service...

ROS-20250904-10

The vulnerability of the dpkg-deb command line utility included in the dpkg package is related to the peculiarities of processing of temporary files by the package manager when extracting them to a temporary directory. Exploitation vulnerability could allow an attacker acting remotely to cause a...

SUSE: Security Advisory (SUSE-SU-2025:02734-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

DEBIAN-CVE-2025-8454

It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts a collection of scripts to make the life of a Debian Package maintainer easier, skips OpenPGP verification if the upstream source is already downloaded from a previous run even...

SUSE CVE-2015-0840

The dpkg-source command in Debian dpkg before 1.16.16 and 1.17.x before 1.17.25 allows remote attackers to bypass signature verification via a crafted Debian source control file .dsc...

USN-5446-1 dpkg vulnerability

Max Justicz discovered that dpkg incorrectly handled unpacking certain source packages. If a user or an automated system were tricked into unpacking a specially crafted source package, a remote attacker could modify files outside the target unpack directory, leading to a denial of service or...

Advanced Package Tool Remote Code Execution (CVE-2019-3462)

A remote code execution vulnerability exists in Advanced Package Tool. The vulnerability is due to lack of sanitation on Location headers in HTTP responses. Successful exploitation could result in installation and execution of altered packages...

Linux apt/apt-get Remote Code Execution Vulnerability

Linux is a free-to-use and freely distributed Unix-like operating system, a multi-user, multi-tasking, multi-threaded and multi-CPU supported operating system based on POSIX and UNIX. A remote code execution vulnerability exists in Linux apt/apt-get. The vulnerability stems from apt's failure to...

BSA-2019-754

Security Advisory ID : BSA-2019-754 Component : APT Revision : 1.0: Final A vulnerability in apt could allows a network man-in-the-middle or a malicious package mirror to execute arbitrary code as root on a machine installing any package. The bug has been fixed in the latest versions of apt. If...

DEBIAN-CVE-2018-0501

The mirror:// method implementation in Advanced Package Tool APT 1.6.x before 1.6.4 and 1.7.x before 1.7.0alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail...

CVE-2018-0501

The CVE-2018-0501 detail: APT’s mirror:// handling in 1.6.x (pre-1.6.4) and 1.7.x (pre-1.7.0~alpha3) mishandles GPG verification for the InRelease file of a fallback mirror (mirrorfail). Impact: remote MITM could install altered packages when using mirror:// entries. Remediation: upgrade to 1.6.4...