From: Anil Dongare <[email protected]> Details: https://security-tracker.debian.org/tracker/CVE-2011-3374
The vulnerability is a design-level flaw in the legacy apt-key utility regarding the global trust model of GPG keys. This is marked as not-applicable-config because apt-key net-update is disabled by default, and Debian vendor configuration does not define the archive keyring URI required to use that path. Ignore this CVE in this recipe due to this configuration. Signed-off-by: Anil Dongare <[email protected]> --- meta/recipes-devtools/apt/apt_3.0.3.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-devtools/apt/apt_3.0.3.bb b/meta/recipes-devtools/apt/apt_3.0.3.bb index 08b6bac2e4..ad75f3b32a 100644 --- a/meta/recipes-devtools/apt/apt_3.0.3.bb +++ b/meta/recipes-devtools/apt/apt_3.0.3.bb @@ -34,6 +34,9 @@ UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/a/apt/" # to express 'divisible by 4 plus 2' in regex (that I know of), let's hardcode a few. UPSTREAM_CHECK_REGEX = "[^\d\.](?P<pver>((2\.2)|(2\.6)|(3\.0)|(3\.4)|(3\.8)|(4\.2))(\.\d+)+)\.tar" +# Not applicable: Debian vendor configuration does not enable apt-key net-update. +CVE_STATUS[CVE-2011-3374] = "not-applicable-config: apt-key net-update is disabled by default and Debian vendor configuration has no archive keyring URI" + inherit cmake perlnative bash-completion useradd # User is added to allow apt to drop privs, will runtime warn without -- 2.51.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#238615): https://lists.openembedded.org/g/openembedded-core/message/238615 Mute This Topic: https://lists.openembedded.org/mt/119772398/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
