CVE-2011-3634

NameCVE-2011-3634
Descriptionmethods/https.cc in apt before 0.8.11 accepts connections when the certificate host name fails validation and Verify-Host is enabled, which allows man-in-the-middle attackers to obtain repository credentials via unspecified vectors.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-0005-1
NVD severitylow

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apt (PTS)stretch1.4.10fixed
stretch (security)1.4.11fixed
buster, buster (security)1.8.2.2fixed
bullseye2.2.3fixed
sid2.2.4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aptsourcesqueeze0.8.10.3+squeeze2
aptsource(unstable)0.8.11low

Notes

Minor issue, apt is only affected if apt-transport-https is installed
http://bazaar.launchpad.net/~donkult/apt/sid/revision/2053.1.28
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/868353

Search for package or bug name: Reporting problems