APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package.Referenceshttp://secunia.com/advisories/61286http://secunia.com/advisories/61275http://ubuntu.com/usn/usn-2348-1http://www.debian.org/security/2014/dsa-3025
