CVSS: 7.4EPSS: 0%CPEs: 5EXPL: 0CVE-2013-1051 – Ubuntu Security Notice USN-1762-1
https://notcve.org/view.php?id=CVE-2013-1051
14 Mar 2013 — apt 0.8.16, 0.9.7, and possibly other versions does not properly handle InRelease files, which allows man-in-the-middle attackers to modify packages before installation via unknown vectors, possibly related to integrity checking and the use of third-party repositories. apt v0.8.16, v0.9.7 y posiblemente otras versiones no trata correctamente los archivos InRelease, lo que permite man-in-the-middle atacantes para modificar los paquetes antes de la instalación a través de vectores desconocidos, posiblemente r... • http://osvdb.org/91428 • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2012-0961 – Ubuntu Security Notice USN-1662-1
https://notcve.org/view.php?id=CVE-2012-0961
13 Dec 2012 — Apt 0.8.16~exp5ubuntu13.x before 0.8.16~exp5ubuntu13.6, 0.8.16~exp12ubuntu10.x before 0.8.16~exp12ubuntu10.7, and 0.9.7.5ubuntu5.x before 0.9.7.5ubuntu5.2, as used in Ubuntu, uses world-readable permissions for /var/log/apt/term.log, which allows local users to obtain sensitive shell information by reading the log file. Apt v0.8.16~exp5ubuntu13.x antes de v0.8.16~exp5ubuntu13.6, v0.8.16~exp12ubuntu10.x antes de v0.8.16v0.8.16~exp12ubuntu10.7 y v0.9.7.5ubuntu5.x antes de v0.9.7.5ubuntu5.2, tal y como se usa ... • http://osvdb.org/88380 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.4EPSS: 0%CPEs: 61EXPL: 0CVE-2012-3587
https://notcve.org/view.php?id=CVE-2012-3587
19 Jun 2012 — APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install Trojan horse packages via a man-in-the-middle (MITM) attack. APT v0.7.x antes de v0.7.25 y v0.8.x antes de v0.8.16, cuando se utiliza el apt-key net-update para importar archivos de claves, se basa en el orden de los argumentos GnuPG y no verifica subclaves GPG, lo que podría permitir a atacantes re... • http://seclists.org/fulldisclosure/2012/Jun/267 • CWE-20: Improper Input Validation •
CVSS: 7.4EPSS: 0%CPEs: 61EXPL: 0CVE-2012-0954 – Ubuntu Security Notice USN-1477-1
https://notcve.org/view.php?id=CVE-2012-0954
16 Jun 2012 — APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install altered packages via a man-in-the-middle (MITM) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3587. APT v0.7.x antes de v0.7.25 y v0.8.x antes de v0.8.16, cuando se utiliza el apt-key net-update para importar archivos de claves, se basa en el orden de los argument... • http://seclists.org/fulldisclosure/2012/Jun/267 • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 0%CPEs: 6EXPL: 0CVE-2012-0214 – Ubuntu Security Notice USN-1385-1
https://notcve.org/view.php?id=CVE-2012-0214
06 Mar 2012 — The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InRelease files, allows man-in-the-middle attackers to install arbitrary packages by preventing a user from downloading the new InRelease file, which leaves the original InRelease file active and makes it more difficult to detect that the Packages file is modified and unsigned. El método pkgAcqMetaClearSig::Failed en... • http://anonscm.debian.org/gitweb/?p=apt/apt.git%3Ba=commitdiff%3Bh=b7a6594d1e5ed199a7a472b78b33e070375d6f92 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.4EPSS: 0%CPEs: 12EXPL: 0CVE-2011-3634 – Ubuntu Security Notice USN-1283-1
https://notcve.org/view.php?id=CVE-2011-3634
28 Nov 2011 — methods/https.cc in apt before 0.8.11 accepts connections when the certificate host name fails validation and Verify-Host is enabled, which allows man-in-the-middle attackers to obtain repository credentials via unspecified vectors. methods/https.cc en apt anterior a 0.8.11 acepta conexiones cuando el nombre de host del certificado falla la validación y Verify-Host está habilitado, lo que permite a atacantes man-in-the-middle obtener credenciales de repositorios a través de vectores no especificados. It was... • http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3634.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2011-1829 – Ubuntu Security Notice USN-1169-1
https://notcve.org/view.php?id=CVE-2011-1829
14 Jul 2011 — APT before 0.8.15.2 does not properly validate inline GPG signatures, which allows man-in-the-middle attackers to install modified packages via vectors involving lack of an initial clearsigned message. APT en versiones anteriores a la 0.8.15.2 no valida apropiadamente las firmas GPG adjuntas ("inline"), lo que permite atacantes de hombre en el medio ("man-in-the-middle") instalar paquetes modificados a través de vectores que involucran la falta de un mensaje inicial "clearsigned" (firmado en claro). William... • http://launchpadlibrarian.net/75126628/apt_0.8.13.2ubuntu2_0.8.13.2ubuntu4.1.diff.gz • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 1%CPEs: 180EXPL: 0CVE-2009-1358 – Debian Linux Security Advisory 1779-1
https://notcve.org/view.php?id=CVE-2009-1358
21 Apr 2009 — apt-get in apt before 0.7.21 does not check for the correct error code from gpgv, which causes apt to treat a repository as valid even when it has been signed with a key that has been revoked or expired, which might allow remote attackers to trick apt into installing malicious repositories. apt-get in apt anterior a 0.7.21 no comprueba adecuadamente el error de codigo en gpgv, lo que hace que apt utilice un repositorio firmado con una clave que ha sido revocada o ha caducado, lo que permite a atacantes remo... • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=433091 •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2009-1300 – Debian Linux Security Advisory 1779-1
https://notcve.org/view.php?id=CVE-2009-1300
16 Apr 2009 — apt 0.7.20 does not check when the date command returns an "invalid date" error, which can prevent apt from loading security updates in time zones for which DST occurs at midnight. apt 0.7.20 no comprueba si el comando "date" devuelve un error de "invalid date" (fecha no válida) que puede prevenir a apt de la carga de actualizaciones de seguridad en zonas horarias para las cuales DST se produce a medianoche. Alexandre Martani discovered that the APT daily cron script did not check the return code of the dat... • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523213 • CWE-20: Improper Input Validation •