On Mon Jun 29, 2026 at 2:45 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS 
PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <[email protected]>

Hello,

> Details: https://security-tracker.debian.org/tracker/CVE-2011-3374
>
> CVE-2011-3374 describes a design flaw in the legacy apt-key trust model.
>
> This does not apply to the current apt recipe in OE-Core because it uses
> Debian vendor configuration. Debian security tracker notes this issue is not
> exploitable in Debian since no keyring URI is defined for the apt-key
> net-update path.
>
> Mark this CVE as not-applicable-config for the recipe. This is a
> configuration-based status, not a fixed-version status.
Why? I tend to disagree. To me, it should be a "fixed-version" because
the impacted code was simply removed, no configuration can bring the
vulnerability back!

(I'm trying to avoid users having to confirm they are not impacted in
their configuration)

This quote of my review of V1 still apply: 
https://lore.kernel.org/openembedded-core/[email protected]/:
|Also, please add a justification for
|"apt-key net-update is disabled by default"
|In this case, the commit:
|  Use sq in the test suite, remove apt-key
|  https://salsa.debian.org/apt-team/apt/-/commit/a00fbbdb2
|is present since 2.9.19.
|
|Finally, in this case, the "fixed-version" CVE_STATUS might be more
|appropriate. (Maybe reflect the new status in the patch title)

>
> Signed-off-by: Anil Dongare <[email protected]>
> ---
>  meta/recipes-devtools/apt/apt_3.0.3.bb | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/meta/recipes-devtools/apt/apt_3.0.3.bb 
> b/meta/recipes-devtools/apt/apt_3.0.3.bb
> index 08b6bac2e4..03da3fbcf1 100644
> --- a/meta/recipes-devtools/apt/apt_3.0.3.bb
> +++ b/meta/recipes-devtools/apt/apt_3.0.3.bb
> @@ -34,6 +34,10 @@ UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/a/apt/"
>  # to express 'divisible by 4 plus 2' in regex (that I know of), let's 
> hardcode a few.
>  UPSTREAM_CHECK_REGEX = 
> "[^\d\.](?P<pver>((2\.2)|(2\.6)|(3\.0)|(3\.4)|(3\.8)|(4\.2))(\.\d+)+)\.tar"
>  
> +# Not applicable: this OE-Core apt recipe uses Debian vendor configuration,
> +# which does not define a keyring URI for the apt-key net-update path.
> +CVE_STATUS[CVE-2011-3374] = "not-applicable-config: OE-Core apt uses Debian 
> vendor configuration, which defines no keyring URI for the apt-key net-update 
> path"
I still disagree with "not-applicable-config:" here. I think it should
be "fixed-version:" (with an updated justification)

> +
>  inherit cmake perlnative bash-completion useradd
>  
>  # User is added to allow apt to drop privs, will runtime warn without

Regards,
-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#240056): 
https://lists.openembedded.org/g/openembedded-core/message/240056
Mute This Topic: https://lists.openembedded.org/mt/120029427/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

  • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Yoann Congal via lists.openembedded.org

Reply via email to