CVE-2011-3634

NameCVE-2011-3634
Descriptionmethods/https.cc in apt before 0.8.11 accepts connections when the certificate host name fails validation and Verify-Host is enabled, which allows man-in-the-middle attackers to obtain repository credentials via unspecified vectors.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-0005-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apt (PTS)jessie, jessie (lts)1.0.9.8.7fixed
stretch (security), stretch (lts), stretch1.4.11fixed
buster1.8.2.3fixed
buster (security), buster (lts)1.8.2.2fixed
bullseye2.2.4fixed
bookworm2.6.1fixed
trixie2.9.10fixed
sid2.9.14fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aptsourcesqueeze0.8.10.3+squeeze2
aptsource(unstable)0.8.11low

Notes

Minor issue, apt is only affected if apt-transport-https is installed
http://bazaar.launchpad.net/~donkult/apt/sid/revision/2053.1.28
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/868353

Search for package or bug name: Reporting problems