Improper input validation in Debian Advanced_package_tool

CVE-2014-0489

APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package.

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.036 (88.0th percentile) — read the EPSS interpretation.

Affected products

Debian Advanced_package_tool — versions 1.0.3, 1.0.5, 1.0.7
N/a — versions n/a

Weakness classification (CWE)

CWE-20 — Improper Input Validation

References

security@debian.org (x_refsource_SECUNIA, third-party-advisory)
security@debian.org (x_refsource_SECUNIA, third-party-advisory)
security@debian.org (x_refsource_UBUNTU, vendor-advisory, Patch, Vendor Advisory)
security@debian.org (vendor-advisory, x_refsource_DEBIAN, Vendor Advisory)