From: Anil Dongare <[email protected]> Details: https://security-tracker.debian.org/tracker/CVE-2011-3374
CVE-2011-3374 describes a design flaw in the legacy apt-key trust model. This does not apply to the current apt recipe in OE-Core because it uses Debian vendor configuration. Debian security tracker notes this issue is not exploitable in Debian since no keyring URI is defined for the apt-key net-update path. Mark this CVE as not-applicable-config for the recipe. This is a configuration-based status, not a fixed-version status. Signed-off-by: Anil Dongare <[email protected]> --- meta/recipes-devtools/apt/apt_3.0.3.bb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meta/recipes-devtools/apt/apt_3.0.3.bb b/meta/recipes-devtools/apt/apt_3.0.3.bb index 08b6bac2e4..03da3fbcf1 100644 --- a/meta/recipes-devtools/apt/apt_3.0.3.bb +++ b/meta/recipes-devtools/apt/apt_3.0.3.bb @@ -34,6 +34,10 @@ UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/a/apt/" # to express 'divisible by 4 plus 2' in regex (that I know of), let's hardcode a few. UPSTREAM_CHECK_REGEX = "[^\d\.](?P<pver>((2\.2)|(2\.6)|(3\.0)|(3\.4)|(3\.8)|(4\.2))(\.\d+)+)\.tar" +# Not applicable: this OE-Core apt recipe uses Debian vendor configuration, +# which does not define a keyring URI for the apt-key net-update path. +CVE_STATUS[CVE-2011-3374] = "not-applicable-config: OE-Core apt uses Debian vendor configuration, which defines no keyring URI for the apt-key net-update path" + inherit cmake perlnative bash-completion useradd # User is added to allow apt to drop privs, will runtime warn without -- 2.44.4
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239772): https://lists.openembedded.org/g/openembedded-core/message/239772 Mute This Topic: https://lists.openembedded.org/mt/120029427/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
