21 matches found
CVE-2020-27350
Public technical details (affected package internals, exploit vectors, and fixes) for CVE-2020-27350 are not provided in the connected documents. The materials reference advisories but do not disclose root cause or remediation specifics; monitor for updates.
CVE-2020-27351
CVE-2020-27351 involves memory and file descriptor leaks in the apt-python components used by python-apt (python/arfile.cc, python/tag.cc, python/tarfile.cc). Affected packages include python-apt with listed Ubuntu/Debian release variants (e.g., 1.1.0~beta1ubuntu0.16.04.10; 1.6.5ubuntu0; 2.0.0ubu...
CVE-2019-3462
CVE-2019-3462 affects apt 1.4.8 and earlier due to incorrect sanitation of the 302 redirect field in the HTTP transport, enabling content injection by a MITM attacker and potentially leading to remote code execution. Public docs confirm the flaw is in apt’s redirect handling and that exploitation...
CVE-2011-3374
CVE-2011-3374 : Apt-key in apt (all versions) does not correctly validate GPG keys with the master keyring, enabling a potential man-in-the-middle attack. The IBM/X-Force bulletin for CVE-2011-3374 (linked in the connected docs) confirms the vulnerability and lists CWE-347 (Improper Verification ...
CVE-2016-1252
CVE-2016-1252 affects the apt package in Debian (Jessie before 1.0.9.8.4) and in Ubuntu (14.04 LTS before 1.0.1ubuntu2.17, 16.04 LTS before 1.2.15ubuntu0.2, 16.10 before 1.3.2ubuntu0.1; Debian unstable before 1.4~beta2). It permits MITM attackers to bypass repository-signing protection by exploit...
CVE-2018-0501
The CVE-2018-0501 detail: APT’s mirror:// handling in 1.6.x (pre-1.6.4) and 1.7.x (pre-1.7.0~alpha3) mishandles GPG verification for the InRelease file of a fallback mirror (mirrorfail). Impact: remote MITM could install altered packages when using mirror:// entries. Remediation: upgrade to 1.6.4...
CVE-2009-1300
CVE-2009-1300 affects the apt package (dpkg front-end) where the cron.daily script can fail to load security updates in time zones with DST at midnight because the date command’s return code is not checked. Connected advisories confirm the issue across multiple distributions (Debian etch, lenny; ...
CVE-2014-0487
CVE-2014-0487 affects APT prior to 1.0.9. The issue is that APT does not verify downloaded files if they have been modified as indicated by the If-Modified-Since header, with unspecified impact and attack vectors. CVSSv2 base score 7.5 (HIGH) from NVD, but the provided documents do not specify co...
CVE-2014-6273
Summary: CVE-2014-6273 is a buffer overflow in the HTTP transport code of apt-get in APT 1.0.1 and earlier , enabling MITM-induced DoS or possible arbitrary code execution via a crafted URL. Multiple connected records confirm: Debian/DLA-58-2 provides a regression fix for apt; OSV entries documen...
CVE-2009-1358
CVE-2009-1358 affects the Debian/Red Hat apt client: apt-get before 0.7.21 fails to validate the error code from gpgv, causing an otherwise revoked/expired OpenPGP key to be treated as valid and potentially allow installation of malicious repositories. Affected software is the apt package manager...
CVE-2014-7206
CVE-2014-7206 affects apt’s changelog retrieval: the changelog functionality before version 1.0.9.2 allows local users to overwrite arbitrary files via a symlink-based race. Vulnerable: apt, prior to 1.0.9.2. Root cause: insecure creation/use of temporary files during changelog access. Impact: lo...
CVE-2013-1051
CVE-2013-1051 affects apt versions 0.8.16 and 0.9.7 (and possibly others) through improper handling of InRelease files, enabling man-in-the-middle modification of packages before installation via unknown vectors. The underlying issue relates to repository integrity checks and third‑party reposito...
CVE-2012-0954
Affected software: APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16. The vulnerability arises when using apt-key net-update to import keyrings: it relies on GnuPG argument order and does not validate GPG subkeys, which may allow remote attackers to perform a MITM and install altered packages. This...
CVE-2014-0478
CVE-2014-0478 affects APT prior to 1.0.4 and arises from improper validation of source packages, enabling MITM attackers to install Trojan horse packages by removing the Release signature. Connected advisories (Ubuntu USN-2246-1, Debian/DLA-0005-1, OSV references) corroborate the issue across Deb...
CVE-2011-3634
CVE-2011-3634 affects apt before 0.8.11, where methods/https.cc accepts HTTPS connections even when certificate hostname validation fails if Verify-Host is enabled. This misbehavior can allow a MITM to obtain repository credentials for HTTPS sources. The published descriptions (NVD and OSV family...
CVE-2014-0489
CVE-2014-0489 affects APT prior to 1.0.9: when Acquire::GzipIndexes is enabled, it does not validate checksums, enabling remote code execution via a crafted package. The vulnerability is documented across multiple feeds (NVD, OSV, Debian advisories) with a CVSS v2 base score of 7.5 (HIGH). Affect...
CVE-2014-0488
CVE-2014-0488 concerns APT before 1.0.9, where the package manager does not properly invalidate repository data when transitioning from unauthenticated to authenticated state. This can allow a remote attacker to influence repository data with unspecified impact. The connected advisories consisten...
CVE-2012-0961
CVE-2012-0961 affects apt in Ubuntu, where the package versions listed (0.8.16~exp5ubuntu13.x up to 0.9.7.5ubuntu5.x) expose world-readable permissions on /var/log/apt/term.log. This permits local users to read sensitive shell information from the log and is a local information-disclosure issue. ...
CVE-2014-0490
The CVE-2014-0490 issue affects APT’s download path prior to version 1.0.9, where apt-get download did not properly validate package signatures. This allows a crafted package to potentially execute arbitrary code on affected systems. Public advisories document the vulnerability in several distrib...
CVE-2011-1829
CVE-2011-1829 affects apt (
CVE-2012-3587
CVE-2012-3587 affects Apt 0.7.x before 0.7.25 and 0.8.x before 0.8.16. The flaw occurs when using apt-key net-update to import keyrings: it relies on GnuPG argument order and does not check GPG subkeys, which could allow remote attackers to install Trojan horse packages via a man-in-the-middle at...