CVE-2011-3634

NameCVE-2011-3634
Descriptionmethods/https.cc in apt before 0.8.11 accepts connections when the certificate host name fails validation and Verify-Host is enabled, which allows man-in-the-middle attackers to obtain repository credentials via unspecified vectors.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-0005-1
NVD severitylow (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apt (PTS)jessie (security), jessie1.0.9.8.4fixed
stretch1.4.8fixed
buster, sid1.7.0fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aptsource(unstable)0.8.11low
aptsourcesqueeze0.8.10.3+squeeze2low

Notes

Minor issue, apt is only affected if apt-transport-https is installed
http://bazaar.launchpad.net/~donkult/apt/sid/revision/2053.1.28
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/868353

Search for package or bug name: Reporting problems