On Fri Jun 12, 2026 at 2:29 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: > From: Anil Dongare <[email protected]> > > Details: https://security-tracker.debian.org/tracker/CVE-2011-3374 > > The vulnerability is a design-level flaw in the legacy apt-key utility > regarding > the global trust model of GPG keys. > > This is marked as not-applicable-config because apt-key net-update is > disabled by default, and Debian vendor configuration does not define the > archive keyring URI required to use that path. Ignore this CVE in this > recipe due to this configuration. > > Signed-off-by: Anil Dongare <[email protected]> > ---
Hello, "Fix" in the commit is a bit misleading. How about "mark CVE-2011-3374 as not-applicable"? Also, please add a justification for "apt-key net-update is disabled by default" In this case, the commit: Use sq in the test suite, remove apt-key https://salsa.debian.org/apt-team/apt/-/commit/a00fbbdb2 is present since 2.9.19. Finally, in this case, the "fixed-version" CVE_STATUS might be more appropriate. (Maybe reflect the new status in the patch title) Thanks! > meta/recipes-devtools/apt/apt_3.0.3.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-devtools/apt/apt_3.0.3.bb > b/meta/recipes-devtools/apt/apt_3.0.3.bb > index 08b6bac2e4..ad75f3b32a 100644 > --- a/meta/recipes-devtools/apt/apt_3.0.3.bb > +++ b/meta/recipes-devtools/apt/apt_3.0.3.bb > @@ -34,6 +34,9 @@ UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/a/apt/" > # to express 'divisible by 4 plus 2' in regex (that I know of), let's > hardcode a few. > UPSTREAM_CHECK_REGEX = > "[^\d\.](?P<pver>((2\.2)|(2\.6)|(3\.0)|(3\.4)|(3\.8)|(4\.2))(\.\d+)+)\.tar" > > +# Not applicable: Debian vendor configuration does not enable apt-key > net-update. > +CVE_STATUS[CVE-2011-3374] = "not-applicable-config: apt-key net-update is > disabled by default and Debian vendor configuration has no archive keyring > URI" > + > inherit cmake perlnative bash-completion useradd > > # User is added to allow apt to drop privs, will runtime warn without -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#238823): https://lists.openembedded.org/g/openembedded-core/message/238823 Mute This Topic: https://lists.openembedded.org/mt/119772381/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
