Package Signature Validation Flaw in APT by Debian
CVE-2014-0490

Currently unrated

Key Information:

Vendor: Debian
Status: Advanced Package Tool
Vendor: CVE Published:; 3 November 2014

Summary

The apt-get download command in APT prior to version 1.0.9 contains a vulnerability that fails to adequately verify the signatures of downloaded packages. This oversight allows malicious actors to craft and distribute compromised packages that, when installed, can execute arbitrary code on the target system. It is crucial for users and administrators to update their APT installations to mitigate the risks associated with this vulnerability and secure their environments against potential attacks.

References

http://secunia.com/advisories/61286

third-party-advisoryx_refsource_SECUNIA

http://secunia.com/advisories/61275

third-party-advisoryx_refsource_SECUNIA

http://ubuntu.com/usn/usn-2348-1

vendor-advisoryx_refsource_UBUNTU

Timeline

Vulnerability published
Nov 3, 2014
Vulnerability Reserved
Dec 19, 2013