Apt
by Debian
Source repositories
- https://github.com/Debian/aptarchived
CVEs (15)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-1252 | Med | 0.42 | 5.9 | 0.07 | Dec 5, 2017 | The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a… | ||
| CVE-2018-0501 | Med | 0.38 | 5.9 | 0.01 | Aug 21, 2018 | The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail. | ||
| CVE-2020-27350 | 0.00 | — | 0.00 | Dec 10, 2020 | APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2;… | |||
| CVE-2020-3810 | 0.00 | — | 0.01 | May 15, 2020 | Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files. | |||
| CVE-2011-3374 | 0.00 | — | 0.01 | Nov 25, 2019 | It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. | |||
| CVE-2014-0489 | 0.00 | — | 0.04 | Nov 3, 2014 | APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package. | |||
| CVE-2014-0487 | 0.00 | — | 0.02 | Nov 3, 2014 | APT before 1.0.9 does not verify downloaded files if they have been modified as indicated using the If-Modified-Since header, which has unspecified impact and attack vectors. | |||
| CVE-2014-7206 | 0.00 | — | 0.00 | Oct 15, 2014 | The changelog command in Apt before 1.0.9.2 allows local users to write to arbitrary files via a symlink attack on the changelog file. | |||
| CVE-2014-0478 | 0.00 | — | 0.02 | Jun 17, 2014 | APT before 1.0.4 does not properly validate source packages, which allows man-in-the-middle attackers to download and install Trojan horse packages by removing the Release signature. | |||
| CVE-2012-0214 | 0.00 | — | 0.01 | Apr 15, 2014 | The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InRelease files, allows man-in-the-middle attackers to install arbitrary packages by… | |||
| CVE-2013-1051 | 0.00 | — | 0.01 | Mar 21, 2013 | apt 0.8.16, 0.9.7, and possibly other versions does not properly handle InRelease files, which allows man-in-the-middle attackers to modify packages before installation via unknown vectors, possibly related to integrity checking and the use of third-party repositories. | |||
| CVE-2012-0961 | 0.00 | — | 0.00 | Dec 26, 2012 | Apt 0.8.16~exp5ubuntu13.x before 0.8.16~exp5ubuntu13.6, 0.8.16~exp12ubuntu10.x before 0.8.16~exp12ubuntu10.7, and 0.9.7.5ubuntu5.x before 0.9.7.5ubuntu5.2, as used in Ubuntu, uses world-readable permissions for /var/log/apt/term.log, which allows local users to obtain sensitive… | |||
| CVE-2011-1829 | 0.00 | — | 0.02 | Jul 27, 2011 | APT before 0.8.15.2 does not properly validate inline GPG signatures, which allows man-in-the-middle attackers to install modified packages via vectors involving lack of an initial clearsigned message. | |||
| CVE-2009-1358 | 0.00 | — | 0.04 | Apr 21, 2009 | apt-get in apt before 0.7.21 does not check for the correct error code from gpgv, which causes apt to treat a repository as valid even when it has been signed with a key that has been revoked or expired, which might allow remote attackers to trick apt into installing malicious… | |||
| CVE-2009-1300 | 0.00 | — | 0.02 | Apr 16, 2009 | apt 0.7.20 does not check when the date command returns an "invalid date" error, which can prevent apt from loading security updates in time zones for which DST occurs at midnight. |
- risk 0.42cvss 5.9epss 0.07
The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a…
- risk 0.38cvss 5.9epss 0.01
The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail.
- CVE-2020-27350Dec 10, 2020risk 0.00cvss —epss 0.00
APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2;…
- CVE-2020-3810May 15, 2020risk 0.00cvss —epss 0.01
Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files.
- CVE-2011-3374Nov 25, 2019risk 0.00cvss —epss 0.01
It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.
- CVE-2014-0489Nov 3, 2014risk 0.00cvss —epss 0.04
APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package.
- CVE-2014-0487Nov 3, 2014risk 0.00cvss —epss 0.02
APT before 1.0.9 does not verify downloaded files if they have been modified as indicated using the If-Modified-Since header, which has unspecified impact and attack vectors.
- CVE-2014-7206Oct 15, 2014risk 0.00cvss —epss 0.00
The changelog command in Apt before 1.0.9.2 allows local users to write to arbitrary files via a symlink attack on the changelog file.
- CVE-2014-0478Jun 17, 2014risk 0.00cvss —epss 0.02
APT before 1.0.4 does not properly validate source packages, which allows man-in-the-middle attackers to download and install Trojan horse packages by removing the Release signature.
- CVE-2012-0214Apr 15, 2014risk 0.00cvss —epss 0.01
The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InRelease files, allows man-in-the-middle attackers to install arbitrary packages by…
- CVE-2013-1051Mar 21, 2013risk 0.00cvss —epss 0.01
apt 0.8.16, 0.9.7, and possibly other versions does not properly handle InRelease files, which allows man-in-the-middle attackers to modify packages before installation via unknown vectors, possibly related to integrity checking and the use of third-party repositories.
- CVE-2012-0961Dec 26, 2012risk 0.00cvss —epss 0.00
Apt 0.8.16~exp5ubuntu13.x before 0.8.16~exp5ubuntu13.6, 0.8.16~exp12ubuntu10.x before 0.8.16~exp12ubuntu10.7, and 0.9.7.5ubuntu5.x before 0.9.7.5ubuntu5.2, as used in Ubuntu, uses world-readable permissions for /var/log/apt/term.log, which allows local users to obtain sensitive…
- CVE-2011-1829Jul 27, 2011risk 0.00cvss —epss 0.02
APT before 0.8.15.2 does not properly validate inline GPG signatures, which allows man-in-the-middle attackers to install modified packages via vectors involving lack of an initial clearsigned message.
- CVE-2009-1358Apr 21, 2009risk 0.00cvss —epss 0.04
apt-get in apt before 0.7.21 does not check for the correct error code from gpgv, which causes apt to treat a repository as valid even when it has been signed with a key that has been revoked or expired, which might allow remote attackers to trick apt into installing malicious…
- CVE-2009-1300Apr 16, 2009risk 0.00cvss —epss 0.02
apt 0.7.20 does not check when the date command returns an "invalid date" error, which can prevent apt from loading security updates in time zones for which DST occurs at midnight.