CVE-2014-0478
https://notcve.org/view.php?id=CVE-2014-0478
APT before 1.0.4 does not properly validate source packages, which allows man-in-the-middle attackers to download and install Trojan horse packages by removing the Release signature. APT anterior a 1.0.4 no valida debidamente paquetes de fuentes, lo que permite a atacantes man-in-the-middle descargar e instalar paquetes de caballos de troya mediante la eliminación de la firma Release. • http://secunia.com/advisories/58843 http://secunia.com/advisories/59358 http://www.debian.org/security/2014/dsa-2958 http://www.ubuntu.com/usn/USN-2246-1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749795 • CWE-20: Improper Input Validation •
CVE-2013-1051
https://notcve.org/view.php?id=CVE-2013-1051
apt 0.8.16, 0.9.7, and possibly other versions does not properly handle InRelease files, which allows man-in-the-middle attackers to modify packages before installation via unknown vectors, possibly related to integrity checking and the use of third-party repositories. apt v0.8.16, v0.9.7 y posiblemente otras versiones no trata correctamente los archivos InRelease, lo que permite man-in-the-middle atacantes para modificar los paquetes antes de la instalación a través de vectores desconocidos, posiblemente relacionadas con la comprobación de la integridad y el uso de terceros repositorios del partido. • http://osvdb.org/91428 http://secunia.com/advisories/52633 http://www.ubuntu.com/usn/USN-1762-1 • CWE-20: Improper Input Validation •
CVE-2012-0961
https://notcve.org/view.php?id=CVE-2012-0961
Apt 0.8.16~exp5ubuntu13.x before 0.8.16~exp5ubuntu13.6, 0.8.16~exp12ubuntu10.x before 0.8.16~exp12ubuntu10.7, and 0.9.7.5ubuntu5.x before 0.9.7.5ubuntu5.2, as used in Ubuntu, uses world-readable permissions for /var/log/apt/term.log, which allows local users to obtain sensitive shell information by reading the log file. Apt v0.8.16~exp5ubuntu13.x antes de v0.8.16~exp5ubuntu13.6, v0.8.16~exp12ubuntu10.x antes de v0.8.16v0.8.16~exp12ubuntu10.7 y v0.9.7.5ubuntu5.x antes de v0.9.7.5ubuntu5.2, tal y como se usa en Ubuntu, usa permisos de lectura para todo el mundo en /var/log/apt/term.log lo que permite a usuarios locales obtener información sensible de la shell leyendo el archivo de registro. • http://osvdb.org/88380 http://secunia.com/advisories/51568 http://www.securityfocus.com/bid/56917 http://www.ubuntu.com/usn/USN-1662-1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2012-3587
https://notcve.org/view.php?id=CVE-2012-3587
APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install Trojan horse packages via a man-in-the-middle (MITM) attack. APT v0.7.x antes de v0.7.25 y v0.8.x antes de v0.8.16, cuando se utiliza el apt-key net-update para importar archivos de claves, se basa en el orden de los argumentos GnuPG y no verifica subclaves GPG, lo que podría permitir a atacantes remotos instalar paquetes de caballos de troya a través de un ataque man-in-the-middle (MITM). • http://seclists.org/fulldisclosure/2012/Jun/267 http://www.ubuntu.com/usn/USN-1475-1 http://www.ubuntu.com/usn/USN-1477-1 https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128 • CWE-20: Improper Input Validation •
CVE-2012-0954
https://notcve.org/view.php?id=CVE-2012-0954
APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install altered packages via a man-in-the-middle (MITM) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3587. APT v0.7.x antes de v0.7.25 y v0.8.x antes de v0.8.16, cuando se utiliza el apt-key net-update para importar archivos de claves, se basa en el orden de los argumentos GnuPG y no verifica subclaves GPG, lo que podría permitir a atacantes remotos instalar paquetes alterados a través de un ataque man-in-the-middle (MITM). NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2012-3587. • http://seclists.org/fulldisclosure/2012/Jun/267 http://seclists.org/fulldisclosure/2012/Jun/271 http://seclists.org/fulldisclosure/2012/Jun/289 http://www.securityfocus.com/bid/54046 http://www.ubuntu.com/usn/USN-1475-1 http://www.ubuntu.com/usn/USN-1477-1 https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128 https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013639 https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013681 • CWE-20: Improper Input Validation •