CVE-2014-0488
https://notcve.org/view.php?id=CVE-2014-0488
APT before 1.0.9 does not "invalidate repository data" when moving from an unauthenticated to authenticated state, which allows remote attackers to have unspecified impact via crafted repository data. APT anterior a 1.0.9 no 'invalida los datos del repositorio' cuando se traslada de un estado no autenticado a uno autenticado, lo que permite a atacantes remotos tener un impacto no especificado a través de datos del repositorio manipulados. • http://secunia.com/advisories/61275 http://secunia.com/advisories/61286 http://ubuntu.com/usn/usn-2348-1 http://www.debian.org/security/2014/dsa-3025 • CWE-20: Improper Input Validation •
CVE-2014-0489
https://notcve.org/view.php?id=CVE-2014-0489
APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package. APT anterior a 1.0.9, cunado la opción Acquire::GzipIndexes está habilitada, no valida checksums, lo que permite a atacantes remotos ejecutar código arbitrario a través de un paquete manipulado. • http://secunia.com/advisories/61275 http://secunia.com/advisories/61286 http://ubuntu.com/usn/usn-2348-1 http://www.debian.org/security/2014/dsa-3025 • CWE-20: Improper Input Validation •
CVE-2014-0490
https://notcve.org/view.php?id=CVE-2014-0490
The apt-get download command in APT before 1.0.9 does not properly validate signatures for packages, which allows remote attackers to execute arbitrary code via a crafted package. El comando de descarga apt-get en APT anterior a 1.0.9 no valida debidamente las firmas para paquetes, lo que permite a atacantes remotos ejecutar código arbitrario a través de un paquete manipulado. • http://secunia.com/advisories/61275 http://secunia.com/advisories/61286 http://ubuntu.com/usn/usn-2348-1 http://www.debian.org/security/2014/dsa-3025 • CWE-20: Improper Input Validation •
CVE-2014-0478
https://notcve.org/view.php?id=CVE-2014-0478
APT before 1.0.4 does not properly validate source packages, which allows man-in-the-middle attackers to download and install Trojan horse packages by removing the Release signature. APT anterior a 1.0.4 no valida debidamente paquetes de fuentes, lo que permite a atacantes man-in-the-middle descargar e instalar paquetes de caballos de troya mediante la eliminación de la firma Release. • http://secunia.com/advisories/58843 http://secunia.com/advisories/59358 http://www.debian.org/security/2014/dsa-2958 http://www.ubuntu.com/usn/USN-2246-1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749795 • CWE-20: Improper Input Validation •
CVE-2013-1051
https://notcve.org/view.php?id=CVE-2013-1051
apt 0.8.16, 0.9.7, and possibly other versions does not properly handle InRelease files, which allows man-in-the-middle attackers to modify packages before installation via unknown vectors, possibly related to integrity checking and the use of third-party repositories. apt v0.8.16, v0.9.7 y posiblemente otras versiones no trata correctamente los archivos InRelease, lo que permite man-in-the-middle atacantes para modificar los paquetes antes de la instalación a través de vectores desconocidos, posiblemente relacionadas con la comprobación de la integridad y el uso de terceros repositorios del partido. • http://osvdb.org/91428 http://secunia.com/advisories/52633 http://www.ubuntu.com/usn/USN-1762-1 • CWE-20: Improper Input Validation •