The apt-get download command in APT before 1.0.9 does not properly validate signatures for packages, which allows remote attackers to execute arbitrary code via a crafted package.
{ "availability": "No subscription required", "binaries": [ { "binary_name": "apt", "binary_version": "1.0.1ubuntu2.3" }, { "binary_name": "apt-doc", "binary_version": "1.0.1ubuntu2.3" }, { "binary_name": "apt-transport-https", "binary_version": "1.0.1ubuntu2.3" }, { "binary_name": "apt-utils", "binary_version": "1.0.1ubuntu2.3" }, { "binary_name": "libapt-inst1.5", "binary_version": "1.0.1ubuntu2.3" }, { "binary_name": "libapt-pkg-dev", "binary_version": "1.0.1ubuntu2.3" }, { "binary_name": "libapt-pkg-doc", "binary_version": "1.0.1ubuntu2.3" }, { "binary_name": "libapt-pkg4.12", "binary_version": "1.0.1ubuntu2.3" } ], "ubuntu_priority": "medium" }