diff mbox series

[wrynose] apt: mark CVE-2011-3374 as not-applicable-config

Message ID 20260629124712.1159-1-adongare@cisco.com
State New
Headers show
Series [wrynose] apt: mark CVE-2011-3374 as not-applicable-config | expand

Commit Message

Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) June 29, 2026, 12:47 p.m. UTC 
From: Anil Dongare <adongare@cisco.com>

Details: https://security-tracker.debian.org/tracker/CVE-2011-3374

CVE-2011-3374 describes a design flaw in the legacy apt-key trust model.

This does not apply to the current apt recipe in OE-Core because it uses
Debian vendor configuration. Debian security tracker notes this issue is not
exploitable in Debian since no keyring URI is defined for the apt-key
net-update path.

Mark this CVE as not-applicable-config for the recipe. This is a
configuration-based status, not a fixed-version status.

Signed-off-by: Anil Dongare <adongare@cisco.com>
---
 meta/recipes-devtools/apt/apt_3.0.3.bb | 4 ++++
 1 file changed, 4 insertions(+)
diff mbox series

Patch

diff --git a/meta/recipes-devtools/apt/apt_3.0.3.bb b/meta/recipes-devtools/apt/apt_3.0.3.bb
index 08b6bac2e4..03da3fbcf1 100644
--- a/meta/recipes-devtools/apt/apt_3.0.3.bb
+++ b/meta/recipes-devtools/apt/apt_3.0.3.bb
@@ -34,6 +34,10 @@  UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/a/apt/"
 # to express 'divisible by 4 plus 2' in regex (that I know of), let's hardcode a few.
 UPSTREAM_CHECK_REGEX = "[^\d\.](?P<pver>((2\.2)|(2\.6)|(3\.0)|(3\.4)|(3\.8)|(4\.2))(\.\d+)+)\.tar"
 
+# Not applicable: this OE-Core apt recipe uses Debian vendor configuration,
+# which does not define a keyring URI for the apt-key net-update path.
+CVE_STATUS[CVE-2011-3374] = "not-applicable-config: OE-Core apt uses Debian vendor configuration, which defines no keyring URI for the apt-key net-update path"
+
 inherit cmake perlnative bash-completion useradd
 
 # User is added to allow apt to drop privs, will runtime warn without