CVSS: 7.4EPSS: 0%CPEs: 12EXPL: 0CVE-2011-3634
https://notcve.org/view.php?id=CVE-2011-3634
28 Feb 2014 — methods/https.cc in apt before 0.8.11 accepts connections when the certificate host name fails validation and Verify-Host is enabled, which allows man-in-the-middle attackers to obtain repository credentials via unspecified vectors. methods/https.cc en apt anterior a 0.8.11 acepta conexiones cuando el nombre de host del certificado falla la validación y Verify-Host está habilitado, lo que permite a atacantes man-in-the-middle obtener credenciales de repositorios a través de vectores no especificados. • http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3634.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.4EPSS: 0%CPEs: 5EXPL: 0CVE-2013-1051
https://notcve.org/view.php?id=CVE-2013-1051
21 Mar 2013 — apt 0.8.16, 0.9.7, and possibly other versions does not properly handle InRelease files, which allows man-in-the-middle attackers to modify packages before installation via unknown vectors, possibly related to integrity checking and the use of third-party repositories. apt v0.8.16, v0.9.7 y posiblemente otras versiones no trata correctamente los archivos InRelease, lo que permite man-in-the-middle atacantes para modificar los paquetes antes de la instalación a través de vectores desconocidos, posiblemente r... • http://osvdb.org/91428 • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2012-0961
https://notcve.org/view.php?id=CVE-2012-0961
26 Dec 2012 — Apt 0.8.16~exp5ubuntu13.x before 0.8.16~exp5ubuntu13.6, 0.8.16~exp12ubuntu10.x before 0.8.16~exp12ubuntu10.7, and 0.9.7.5ubuntu5.x before 0.9.7.5ubuntu5.2, as used in Ubuntu, uses world-readable permissions for /var/log/apt/term.log, which allows local users to obtain sensitive shell information by reading the log file. Apt v0.8.16~exp5ubuntu13.x antes de v0.8.16~exp5ubuntu13.6, v0.8.16~exp12ubuntu10.x antes de v0.8.16v0.8.16~exp12ubuntu10.7 y v0.9.7.5ubuntu5.x antes de v0.9.7.5ubuntu5.2, tal y como se usa ... • http://osvdb.org/88380 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.4EPSS: 0%CPEs: 61EXPL: 0CVE-2012-3587
https://notcve.org/view.php?id=CVE-2012-3587
19 Jun 2012 — APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install Trojan horse packages via a man-in-the-middle (MITM) attack. APT v0.7.x antes de v0.7.25 y v0.8.x antes de v0.8.16, cuando se utiliza el apt-key net-update para importar archivos de claves, se basa en el orden de los argumentos GnuPG y no verifica subclaves GPG, lo que podría permitir a atacantes re... • http://seclists.org/fulldisclosure/2012/Jun/267 • CWE-20: Improper Input Validation •
CVSS: 7.4EPSS: 0%CPEs: 61EXPL: 0CVE-2012-0954
https://notcve.org/view.php?id=CVE-2012-0954
19 Jun 2012 — APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install altered packages via a man-in-the-middle (MITM) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3587. APT v0.7.x antes de v0.7.25 y v0.8.x antes de v0.8.16, cuando se utiliza el apt-key net-update para importar archivos de claves, se basa en el orden de los argument... • http://seclists.org/fulldisclosure/2012/Jun/267 • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2011-1829
https://notcve.org/view.php?id=CVE-2011-1829
27 Jul 2011 — APT before 0.8.15.2 does not properly validate inline GPG signatures, which allows man-in-the-middle attackers to install modified packages via vectors involving lack of an initial clearsigned message. APT en versiones anteriores a la 0.8.15.2 no valida apropiadamente las firmas GPG adjuntas ("inline"), lo que permite atacantes de hombre en el medio ("man-in-the-middle") instalar paquetes modificados a través de vectores que involucran la falta de un mensaje inicial "clearsigned" (firmado en claro). • http://launchpadlibrarian.net/75126628/apt_0.8.13.2ubuntu2_0.8.13.2ubuntu4.1.diff.gz • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 2%CPEs: 180EXPL: 0CVE-2009-1358
https://notcve.org/view.php?id=CVE-2009-1358
21 Apr 2009 — apt-get in apt before 0.7.21 does not check for the correct error code from gpgv, which causes apt to treat a repository as valid even when it has been signed with a key that has been revoked or expired, which might allow remote attackers to trick apt into installing malicious repositories. apt-get in apt anterior a 0.7.21 no comprueba adecuadamente el error de codigo en gpgv, lo que hace que apt utilice un repositorio firmado con una clave que ha sido revocada o ha caducado, lo que permite a atacantes remo... • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=433091 •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2009-1300
https://notcve.org/view.php?id=CVE-2009-1300
16 Apr 2009 — apt 0.7.20 does not check when the date command returns an "invalid date" error, which can prevent apt from loading security updates in time zones for which DST occurs at midnight. apt 0.7.20 no comprueba si el comando "date" devuelve un error de "invalid date" (fecha no válida) que puede prevenir a apt de la carga de actualizaciones de seguridad en zonas horarias para las cuales DST se produce a medianoche. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523213 • CWE-20: Improper Input Validation •