Advanced Package Tool

advanced_package_tool

Vendor: Debian • 21 CVEs

CVEs (21)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-27351 1Debian 1Advanced Package Tool Nov 21, 2024 Dec 10, 2020 N/A· v4 2.8 LOW· v3 2.1 LOW· v2 Various memory and file descriptor leaks were found in apt-python files python/arfile.cc, python/tag.cc, python/tarfile.cc, aka GHSL-2020-170. This issue affects: python-apt 1.1.0~beta1 versions prior to 1.1.0~beta1ubunt...Show more Various memory and file descriptor leaks were found in apt-python files python/arfile.cc, python/tag.cc, python/tarfile.cc, aka GHSL-2020-170. This issue affects: python-apt 1.1.0~beta1 versions prior to 1.1.0~beta1ubuntu0.16.04.10; 1.6.5ubuntu0 versions prior to 1.6.5ubuntu0.4; 2.0.0ubuntu0 versions prior to 2.0.0ubuntu0.20.04.2; 2.1.3ubuntu1 versions prior to 2.1.3ubuntu1.1;Show less
CVE-2020-27350 2Debian Netapp 2Advanced Package Tool Solidfire Baseboard Management Controller Firmware Nov 21, 2024 Dec 10, 2020 N/A· v4 5.7 MEDIUM· v3 4.6 MEDIUM· v2 APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue aff...Show more APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1;Show less
CVE-2011-3374 1Debian 2Advanced Package Tool Debian Linux Nov 21, 2024 Nov 26, 2019 N/A· v4 3.7 LOW· v3 4.3 MEDIUM· v2 It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.
CVE-2019-3462 3Canonical DebianNetapp 5Active Iq Advanced Package ToolDebian Linux+2 more Nov 21, 2024 Jan 28, 2019 N/A· v4 8.1 HIGH· v3 9.3 HIGH· v2 Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machi...Show more Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.Show less
CVE-2018-0501 2Canonical Debian 2Advanced Package Tool Ubuntu Linux Nov 21, 2024 Aug 21, 2018 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail.
CVE-2016-1252 2Canonical Debian 2Advanced Package Tool Ubuntu Linux May 13, 2026 Dec 5, 2017 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 al...Show more The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures.Show less
CVE-2014-0490 1Debian 1Advanced Package Tool May 6, 2026 Nov 3, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 The apt-get download command in APT before 1.0.9 does not properly validate signatures for packages, which allows remote attackers to execute arbitrary code via a crafted package.
CVE-2014-0489 1Debian 1Advanced Package Tool May 6, 2026 Nov 3, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package.
CVE-2014-0488 1Debian 1Advanced Package Tool May 6, 2026 Nov 3, 2014 N/A· v4 N/A· v3 6.8 MEDIUM· v2 APT before 1.0.9 does not "invalidate repository data" when moving from an unauthenticated to authenticated state, which allows remote attackers to have unspecified impact via crafted repository data.
CVE-2014-0487 1Debian 1Advanced Package Tool May 6, 2026 Nov 3, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 APT before 1.0.9 does not verify downloaded files if they have been modified as indicated using the If-Modified-Since header, which has unspecified impact and attack vectors.
CVE-2014-7206 1Debian 2Advanced Package Tool Apt May 6, 2026 Oct 15, 2014 N/A· v4 N/A· v3 3.6 LOW· v2 The changelog command in Apt before 1.0.9.2 allows local users to write to arbitrary files via a symlink attack on the changelog file.
CVE-2014-6273 1Debian 1Advanced Package Tool May 6, 2026 Sep 30, 2014 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Buffer overflow in the HTTP transport code in apt-get in APT 1.0.1 and earlier allows man-in-the-middle attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted URL.
CVE-2014-0478 1Debian 1Advanced Package Tool May 6, 2026 Jun 17, 2014 N/A· v4 N/A· v3 4.0 MEDIUM· v2 APT before 1.0.4 does not properly validate source packages, which allows man-in-the-middle attackers to download and install Trojan horse packages by removing the Release signature.
CVE-2011-3634 2Canonical Debian 2Advanced Package Tool Ubuntu Linux Apr 29, 2026 Mar 1, 2014 N/A· v4 N/A· v3 2.6 LOW· v2 methods/https.cc in apt before 0.8.11 accepts connections when the certificate host name fails validation and Verify-Host is enabled, which allows man-in-the-middle attackers to obtain repository credentials via unspecif...Show more methods/https.cc in apt before 0.8.11 accepts connections when the certificate host name fails validation and Verify-Host is enabled, which allows man-in-the-middle attackers to obtain repository credentials via unspecified vectors.Show less
CVE-2013-1051 2Canonical Debian 3Advanced Package Tool AptUbuntu Linux Apr 29, 2026 Mar 21, 2013 N/A· v4 N/A· v3 4.3 MEDIUM· v2 apt 0.8.16, 0.9.7, and possibly other versions does not properly handle InRelease files, which allows man-in-the-middle attackers to modify packages before installation via unknown vectors, possibly related to integrity...Show more apt 0.8.16, 0.9.7, and possibly other versions does not properly handle InRelease files, which allows man-in-the-middle attackers to modify packages before installation via unknown vectors, possibly related to integrity checking and the use of third-party repositories.Show less
CVE-2012-0961 1Debian 2Advanced Package Tool Apt Apr 29, 2026 Dec 26, 2012 N/A· v4 N/A· v3 2.1 LOW· v2 Apt 0.8.16~exp5ubuntu13.x before 0.8.16~exp5ubuntu13.6, 0.8.16~exp12ubuntu10.x before 0.8.16~exp12ubuntu10.7, and 0.9.7.5ubuntu5.x before 0.9.7.5ubuntu5.2, as used in Ubuntu, uses world-readable permissions for /var/log/...Show more Apt 0.8.16~exp5ubuntu13.x before 0.8.16~exp5ubuntu13.6, 0.8.16~exp12ubuntu10.x before 0.8.16~exp12ubuntu10.7, and 0.9.7.5ubuntu5.x before 0.9.7.5ubuntu5.2, as used in Ubuntu, uses world-readable permissions for /var/log/apt/term.log, which allows local users to obtain sensitive shell information by reading the log file.Show less
CVE-2012-3587 1Debian 1Advanced Package Tool Apr 29, 2026 Jun 19, 2012 N/A· v4 N/A· v3 2.6 LOW· v2 APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install Trojan h...Show more APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install Trojan horse packages via a man-in-the-middle (MITM) attack.Show less
CVE-2012-0954 1Debian 1Advanced Package Tool Apr 29, 2026 Jun 19, 2012 N/A· v4 N/A· v3 2.6 LOW· v2 APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install altered...Show more APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install altered packages via a man-in-the-middle (MITM) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3587.Show less
CVE-2011-1829 2Canonical Debian 2Advanced Package Tool Ubuntu Linux Apr 29, 2026 Jul 27, 2011 N/A· v4 N/A· v3 4.3 MEDIUM· v2 APT before 0.8.15.2 does not properly validate inline GPG signatures, which allows man-in-the-middle attackers to install modified packages via vectors involving lack of an initial clearsigned message.
CVE-2009-1358 1Debian 2Advanced Package Tool Apt Apr 23, 2026 Apr 21, 2009 N/A· v4 N/A· v3 10.0 HIGH· v2 apt-get in apt before 0.7.21 does not check for the correct error code from gpgv, which causes apt to treat a repository as valid even when it has been signed with a key that has been revoked or expired, which might allo...Show more apt-get in apt before 0.7.21 does not check for the correct error code from gpgv, which causes apt to treat a repository as valid even when it has been signed with a key that has been revoked or expired, which might allow remote attackers to trick apt into installing malicious repositories.Show less

12 Next