APT is a command line package management tool which understands collections or "repositories" and is able to find the packages needed to satisfy inter-package dependencies.
It was discovered that APT, the high level package manager, does not properly invalidate unauthenticated data (CVE-2014-0488), performs incorrect verification of 304 replies (CVE-2014-0487), does not perform the checksum check when the Acquire::GzipIndexes option is used (CVE-2014-0489) and does not properly perform validation for binary packages downloaded by the apt-get download command (CVE-2014-0490).
The apt-get download command in APT before 1.0.9 does not properly validate signatures for packages, which allows remote attackers to execute arbitrary code via a crafted package.
APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package.
APT before 1.0.9 does not "invalidate repository data" when moving from an unauthenticated to authenticated state, which allows remote attackers to have unspecified impact via crafted repository data.
APT before 1.0.9 does not verify downloaded files if they have been modified as indicated using the If-Modified-Since header, which has unspecified impact and attack vectors.
Ubuntu Update instructions
The problem can be corrected by updating your system to the following package version:
Ubuntu 14.04 LTS:
1.0.1ubuntu2.3 -> https://launchpad.net/ubuntu/+source/apt/1.0.1ubuntu2.3
Ubuntu 12.04 LTS:
0.8.16~exp12ubuntu10.19 -> https://launchpad.net/ubuntu/+source/apt/0.8.16~exp12ubuntu10.19
Ubuntu 10.04 LTS:
0.7.25.3ubuntu9.16 -> https://launchpad.net/ubuntu/+source/apt/0.7.25.3ubuntu9.16
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
Debian Update Instructions
For the stable distribution (wheezy), these problems have been fixed in version 0.9.7.9+deb7u3.
For the unstable distribution (sid), these problems have been fixed in version 1.0.9.