diff mbox series

[scarthgap] apt: CVE-2011-3374

Message ID 20260601134048.45729-1-adongare@cisco.com
State Under Review
Delegated to: Yoann Congal
Headers show
Series [scarthgap] apt: CVE-2011-3374 | expand

Commit Message

Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) June 1, 2026, 1:40 p.m. UTC 
From: Anil Dongare <adongare@cisco.com>

Details: https://security-tracker.debian.org/tracker/CVE-2011-3374

The vulnerability is a design-level flaw in the legacy apt-key utility regarding
the global trust model of GPG keys.

This is marked as not-applicable-config because apt-key net-update is
disabled by default, and Debian vendor configuration does not define the
archive keyring URI required to use that path. Ignore this CVE in this
recipe due to this configuration.

Signed-off-by: Anil Dongare <adongare@cisco.com>
---
 meta/recipes-devtools/apt/apt_2.6.1.bb | 3 +++
 1 file changed, 3 insertions(+)
diff mbox series

Patch

diff --git a/meta/recipes-devtools/apt/apt_2.6.1.bb b/meta/recipes-devtools/apt/apt_2.6.1.bb
index 12915660b0..8b48de3498 100644
--- a/meta/recipes-devtools/apt/apt_2.6.1.bb
+++ b/meta/recipes-devtools/apt/apt_2.6.1.bb
@@ -38,6 +38,9 @@  UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/a/apt/"
 # to express 'divisible by 4 plus 2' in regex (that I know of), let's hardcode a few.
 UPSTREAM_CHECK_REGEX = "[^\d\.](?P<pver>((2\.2)|(2\.6)|(3\.0)|(3\.4)|(3\.8)|(4\.2))(\.\d+)+)\.tar"
 
+# Not applicable: Debian vendor configuration does not enable apt-key net-update.
+CVE_STATUS[CVE-2011-3374] = "not-applicable-config: apt-key net-update is disabled by default and Debian vendor configuration has no archive keyring URI"
+
 inherit cmake perlnative bash-completion useradd
 
 # User is added to allow apt to drop privs, will runtime warn without