APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "1.0.1ubuntu2.3", "binary_name": "apt" }, { "binary_version": "1.0.1ubuntu2.3", "binary_name": "apt-doc" }, { "binary_version": "1.0.1ubuntu2.3", "binary_name": "apt-transport-https" }, { "binary_version": "1.0.1ubuntu2.3", "binary_name": "apt-utils" }, { "binary_version": "1.0.1ubuntu2.3", "binary_name": "libapt-inst1.5" }, { "binary_version": "1.0.1ubuntu2.3", "binary_name": "libapt-pkg-dev" }, { "binary_version": "1.0.1ubuntu2.3", "binary_name": "libapt-pkg-doc" }, { "binary_version": "1.0.1ubuntu2.3", "binary_name": "libapt-pkg4.12" } ] }