CVE-2011-3374

Publication date 26 November 2019

Last updated 24 July 2024

Ubuntu priority

Critical

Why this priority?

Cvss 3 Severity Score

3.7 · Low

Score breakdown

It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.

Read the notes from the security team

Status

No maintained releases are affected by this CVE.

Package Ubuntu Release Status
apt 11.04 natty
Fixed 0.8.13.2ubuntu4.2
10.10 maverick
Fixed 0.8.3ubuntu7.2
10.04 LTS lucid
Fixed 0.7.25.3ubuntu9.7
8.04 LTS hardy
Fixed 0.7.9ubuntu17.3

Notes

sbeattie

Ubuntu specific, debian does not enable net-update. After CVE-2012-0954, net-update was disabled permanently in apt 0.9.6ubuntu3

Severity score breakdown

Parameter Value
Base score 3.7 · Low
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N