From: Anil Dongare <[email protected]>

Details: https://security-tracker.debian.org/tracker/CVE-2011-3374

CVE-2011-3374 describes a design flaw in the legacy apt-key trust model.

This does not apply to the current apt recipe in OE-Core because it uses
Debian vendor configuration. Debian security tracker notes this issue is not
exploitable in Debian since no keyring URI is defined for the apt-key
net-update path.

Mark this CVE as not-applicable-config for the recipe. This is a
configuration-based status, not a fixed-version status.

Signed-off-by: Anil Dongare <[email protected]>
---
 meta/recipes-devtools/apt/apt_3.0.3.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-devtools/apt/apt_3.0.3.bb 
b/meta/recipes-devtools/apt/apt_3.0.3.bb
index 08b6bac2e4..03da3fbcf1 100644
--- a/meta/recipes-devtools/apt/apt_3.0.3.bb
+++ b/meta/recipes-devtools/apt/apt_3.0.3.bb
@@ -34,6 +34,10 @@ UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/a/apt/"
 # to express 'divisible by 4 plus 2' in regex (that I know of), let's hardcode 
a few.
 UPSTREAM_CHECK_REGEX = 
"[^\d\.](?P<pver>((2\.2)|(2\.6)|(3\.0)|(3\.4)|(3\.8)|(4\.2))(\.\d+)+)\.tar"
 
+# Not applicable: this OE-Core apt recipe uses Debian vendor configuration,
+# which does not define a keyring URI for the apt-key net-update path.
+CVE_STATUS[CVE-2011-3374] = "not-applicable-config: OE-Core apt uses Debian 
vendor configuration, which defines no keyring URI for the apt-key net-update 
path"
+
 inherit cmake perlnative bash-completion useradd
 
 # User is added to allow apt to drop privs, will runtime warn without
-- 
2.44.4

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239773): 
https://lists.openembedded.org/g/openembedded-core/message/239773
Mute This Topic: https://lists.openembedded.org/mt/120029446/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

  • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Yoann Congal via lists.openembedded.org

Reply via email to