Advanced package tool

This hub aggregates every CVE we track for Advanced package tool, a product in the operating systems space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Advanced package tool.

• CVE-2020-27351Various memory and file descriptor leaks in apt-python2.0Dec 10, 2020
• CVE-2020-27350apt integer wraparound5.7Dec 10, 2020
• CVE-2011-3374It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.3.7Nov 25, 2019
• CVE-2019-3462Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execut...8.1Jan 28, 2019
• CVE-2018-0501The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror...5.9Aug 21, 2018
• CVE-2016-1252The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 b...5.9Dec 5, 2017
• CVE-2014-0490The apt-get download command in APT before 1.0.9 does not properly validate signatures for packages, which allows remote attackers to execute arbitrary code via a crafted package.7.5Nov 3, 2014
• CVE-2014-0489APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package.7.5Nov 3, 2014
• CVE-2014-0488APT before 1.0.9 does not "invalidate repository data" when moving from an unauthenticated to authenticated state, which allows remote attackers to have unspecified impact via crafted repository data.6.8Nov 3, 2014
• CVE-2014-0487APT before 1.0.9 does not verify downloaded files if they have been modified as indicated using the If-Modified-Since header, which has unspecified impact and attack vectors.7.5Nov 3, 2014
• CVE-2014-7206The changelog command in Apt before 1.0.9.2 allows local users to write to arbitrary files via a symlink attack on the changelog file.3.6Oct 15, 2014
• CVE-2014-6273Buffer overflow in the HTTP transport code in apt-get in APT 1.0.1 and earlier allows man-in-the-middle attackers to cause a denial of service (crash) or possibly execute arbitrary code via a craft...6.8Sep 30, 2014
• CVE-2014-0478APT before 1.0.4 does not properly validate source packages, which allows man-in-the-middle attackers to download and install Trojan horse packages by removing the Release signature.4.0Jun 17, 2014
• CVE-2012-0214The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InR...4.3Apr 15, 2014
• CVE-2011-3634methods/https.cc in apt before 0.8.11 accepts connections when the certificate host name fails validation and Verify-Host is enabled, which allows man-in-the-middle attackers to obtain repository c...2.6Feb 28, 2014