CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2014-0487 – Debian Security Advisory 3025-1
https://notcve.org/view.php?id=CVE-2014-0487
16 Sep 2014 — APT before 1.0.9 does not verify downloaded files if they have been modified as indicated using the If-Modified-Since header, which has unspecified impact and attack vectors. APT anterior a 1.0.9 no verifica ficheros descargados si han sido modificados como indica utilizando la cabecera If-Modified-Since, lo que tiene un impacto y vectores de ataque no especificados. It was discovered that APT did not re-verify downloaded files when the If-Modified-Since wasn't met. It was discovered that APT did not invali... • http://secunia.com/advisories/61275 •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2014-0488 – Debian Security Advisory 3025-1
https://notcve.org/view.php?id=CVE-2014-0488
16 Sep 2014 — APT before 1.0.9 does not "invalidate repository data" when moving from an unauthenticated to authenticated state, which allows remote attackers to have unspecified impact via crafted repository data. APT anterior a 1.0.9 no 'invalida los datos del repositorio' cuando se traslada de un estado no autenticado a uno autenticado, lo que permite a atacantes remotos tener un impacto no especificado a través de datos del repositorio manipulados. It was discovered that APT did not re-verify downloaded files when th... • http://secunia.com/advisories/61275 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2014-0489 – Debian Security Advisory 3025-1
https://notcve.org/view.php?id=CVE-2014-0489
16 Sep 2014 — APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package. APT anterior a 1.0.9, cunado la opción Acquire::GzipIndexes está habilitada, no valida checksums, lo que permite a atacantes remotos ejecutar código arbitrario a través de un paquete manipulado. It was discovered that APT did not re-verify downloaded files when the If-Modified-Since wasn't met. It was discovered that APT did not invali... • http://secunia.com/advisories/61275 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2014-0490 – Debian Security Advisory 3025-1
https://notcve.org/view.php?id=CVE-2014-0490
16 Sep 2014 — The apt-get download command in APT before 1.0.9 does not properly validate signatures for packages, which allows remote attackers to execute arbitrary code via a crafted package. El comando de descarga apt-get en APT anterior a 1.0.9 no valida debidamente las firmas para paquetes, lo que permite a atacantes remotos ejecutar código arbitrario a través de un paquete manipulado. It was discovered that APT did not re-verify downloaded files when the If-Modified-Since wasn't met. It was discovered that APT did ... • http://secunia.com/advisories/61275 • CWE-20: Improper Input Validation •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 1CVE-2014-0478 – Ubuntu Security Notice USN-2246-1
https://notcve.org/view.php?id=CVE-2014-0478
13 Jun 2014 — APT before 1.0.4 does not properly validate source packages, which allows man-in-the-middle attackers to download and install Trojan horse packages by removing the Release signature. APT anterior a 1.0.4 no valida debidamente paquetes de fuentes, lo que permite a atacantes man-in-the-middle descargar e instalar paquetes de caballos de troya mediante la eliminación de la firma Release. Jakub Wilk discovered that APT, the high level package manager, did not properly perform authentication checks for source pa... • http://secunia.com/advisories/58843 • CWE-20: Improper Input Validation •
CVSS: 7.4EPSS: 0%CPEs: 12EXPL: 0CVE-2011-3634
https://notcve.org/view.php?id=CVE-2011-3634
28 Feb 2014 — methods/https.cc in apt before 0.8.11 accepts connections when the certificate host name fails validation and Verify-Host is enabled, which allows man-in-the-middle attackers to obtain repository credentials via unspecified vectors. methods/https.cc en apt anterior a 0.8.11 acepta conexiones cuando el nombre de host del certificado falla la validación y Verify-Host está habilitado, lo que permite a atacantes man-in-the-middle obtener credenciales de repositorios a través de vectores no especificados. • http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3634.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.4EPSS: 0%CPEs: 5EXPL: 0CVE-2013-1051
https://notcve.org/view.php?id=CVE-2013-1051
21 Mar 2013 — apt 0.8.16, 0.9.7, and possibly other versions does not properly handle InRelease files, which allows man-in-the-middle attackers to modify packages before installation via unknown vectors, possibly related to integrity checking and the use of third-party repositories. apt v0.8.16, v0.9.7 y posiblemente otras versiones no trata correctamente los archivos InRelease, lo que permite man-in-the-middle atacantes para modificar los paquetes antes de la instalación a través de vectores desconocidos, posiblemente r... • http://osvdb.org/91428 • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2012-0961
https://notcve.org/view.php?id=CVE-2012-0961
26 Dec 2012 — Apt 0.8.16~exp5ubuntu13.x before 0.8.16~exp5ubuntu13.6, 0.8.16~exp12ubuntu10.x before 0.8.16~exp12ubuntu10.7, and 0.9.7.5ubuntu5.x before 0.9.7.5ubuntu5.2, as used in Ubuntu, uses world-readable permissions for /var/log/apt/term.log, which allows local users to obtain sensitive shell information by reading the log file. Apt v0.8.16~exp5ubuntu13.x antes de v0.8.16~exp5ubuntu13.6, v0.8.16~exp12ubuntu10.x antes de v0.8.16v0.8.16~exp12ubuntu10.7 y v0.9.7.5ubuntu5.x antes de v0.9.7.5ubuntu5.2, tal y como se usa ... • http://osvdb.org/88380 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.4EPSS: 0%CPEs: 61EXPL: 0CVE-2012-3587
https://notcve.org/view.php?id=CVE-2012-3587
19 Jun 2012 — APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install Trojan horse packages via a man-in-the-middle (MITM) attack. APT v0.7.x antes de v0.7.25 y v0.8.x antes de v0.8.16, cuando se utiliza el apt-key net-update para importar archivos de claves, se basa en el orden de los argumentos GnuPG y no verifica subclaves GPG, lo que podría permitir a atacantes re... • http://seclists.org/fulldisclosure/2012/Jun/267 • CWE-20: Improper Input Validation •
CVSS: 7.4EPSS: 0%CPEs: 61EXPL: 0CVE-2012-0954
https://notcve.org/view.php?id=CVE-2012-0954
19 Jun 2012 — APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install altered packages via a man-in-the-middle (MITM) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3587. APT v0.7.x antes de v0.7.25 y v0.8.x antes de v0.8.16, cuando se utiliza el apt-key net-update para importar archivos de claves, se basa en el orden de los argument... • http://seclists.org/fulldisclosure/2012/Jun/267 • CWE-20: Improper Input Validation •