Hello Anil It seems this CVE is not fixed upstream, so the not-applicable tag must also be applied to master and wrynose
please submit patches for those two branches and then ping here thanks a lot Jeremy On Mon Jun 1, 2026 at 3:40 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: > From: Anil Dongare <[email protected]> > > Details: https://security-tracker.debian.org/tracker/CVE-2011-3374 > > The vulnerability is a design-level flaw in the legacy apt-key utility > regarding > the global trust model of GPG keys. > > This is marked as not-applicable-config because apt-key net-update is > disabled by default, and Debian vendor configuration does not define the > archive keyring URI required to use that path. Ignore this CVE in this > recipe due to this configuration. > > Signed-off-by: Anil Dongare <[email protected]> > --- > meta/recipes-devtools/apt/apt_2.6.1.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-devtools/apt/apt_2.6.1.bb > b/meta/recipes-devtools/apt/apt_2.6.1.bb > index 12915660b0..8b48de3498 100644 > --- a/meta/recipes-devtools/apt/apt_2.6.1.bb > +++ b/meta/recipes-devtools/apt/apt_2.6.1.bb > @@ -38,6 +38,9 @@ UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/a/apt/" > # to express 'divisible by 4 plus 2' in regex (that I know of), let's > hardcode a few. > UPSTREAM_CHECK_REGEX = > "[^\d\.](?P<pver>((2\.2)|(2\.6)|(3\.0)|(3\.4)|(3\.8)|(4\.2))(\.\d+)+)\.tar" > > +# Not applicable: Debian vendor configuration does not enable apt-key > net-update. > +CVE_STATUS[CVE-2011-3374] = "not-applicable-config: apt-key net-update is > disabled by default and Debian vendor configuration has no archive keyring > URI" > + > inherit cmake perlnative bash-completion useradd > > # User is added to allow apt to drop privs, will runtime warn without
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#238289): https://lists.openembedded.org/g/openembedded-core/message/238289 Mute This Topic: https://lists.openembedded.org/mt/119590667/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
