Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2011-3374

Published: 26 November 2019

It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.

Notes

Author	Note
sbeattie	Ubuntu specific, debian does not enable net-update. After CVE-2012-0954, net-update was disabled permanently in apt 0.9.6ubuntu3

Priority

CVSS 3 base score: 3.7

Status

Package	Release	Status
apt Launchpad, Ubuntu, Debian	upstream	Not vulnerable (net-update not enabled by debian)
	hardy	Released (0.7.9ubuntu17.3)
	lucid	Released (0.7.25.3ubuntu9.7)
	maverick	Released (0.8.3ubuntu7.2)
	natty	Released (0.8.13.2ubuntu4.2)

References

Bugs

https://bugs.launchpad.net/ubuntu/+source/apt/+bug/856489

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading