Debian Apt vulnerabilities

CVE-2020-3810 [MEDIUM] CWE-20 CVE-2020-3810: Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in d Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files.

CVE-2014-7206 [LOW] CWE-59 CVE-2014-7206: The changelog command in Apt before 1.0.9.2 allows local users to write to arbitrary files via a sym The changelog command in Apt before 1.0.9.2 allows local users to write to arbitrary files via a symlink attack on the changelog file.

CVE-2013-1051 [MEDIUM] CWE-20 CVE-2013-1051: apt 0.8.16, 0.9.7, and possibly other versions does not properly handle InRelease files, which allow apt 0.8.16, 0.9.7, and possibly other versions does not properly handle InRelease files, which allows man-in-the-middle attackers to modify packages before installation via unknown vectors, possibly related to integrity checking and the use of third-party repositories.

CVE-2012-0961 [LOW] CWE-200 CVE-2012-0961: Apt 0.8.16~exp5ubuntu13.x before 0.8.16~exp5ubuntu13.6, 0.8.16~exp12ubuntu10.x before 0.8.16~exp12ub Apt 0.8.16~exp5ubuntu13.x before 0.8.16~exp5ubuntu13.6, 0.8.16~exp12ubuntu10.x before 0.8.16~exp12ubuntu10.7, and 0.9.7.5ubuntu5.x before 0.9.7.5ubuntu5.2, as used in Ubuntu, uses world-readable permissions for /var/log/apt/term.log, which allows local users to obtain sensitive shell information by reading the log file.

CVE-2009-1358 [CRITICAL] CVE-2009-1358: apt-get in apt before 0.7.21 does not check for the correct error code from gpgv, which causes apt t apt-get in apt before 0.7.21 does not check for the correct error code from gpgv, which causes apt to treat a repository as valid even when it has been signed with a key that has been revoked or expired, which might allow remote attackers to trick apt into installing malicious repositories.