CVE-2011-3374

Publication date 26 November 2019

Last updated 25 August 2025

Ubuntu priority

Critical

Why this priority?

Cvss 3 Severity Score

3.7 · Low

Score breakdown

Description

It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.

Read the notes from the security team

Status

Package Ubuntu Release Status
apt 11.04 natty
Fixed 0.8.13.2ubuntu4.2
10.10 maverick
Fixed 0.8.3ubuntu7.2
10.04 LTS lucid
Fixed 0.7.25.3ubuntu9.7
8.04 LTS hardy
Fixed 0.7.9ubuntu17.3

Notes

sbeattie

Ubuntu specific, debian does not enable net-update. After CVE-2012-0954, net-update was disabled permanently in apt 0.9.6ubuntu3

Severity score breakdown

CVSS version: CVSS v3.0

Base score 3.7 · Low

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

References

Other references

Access our resources on patching vulnerabilities