Vulnerability Description
methods/https.cc in apt before 0.8.11 accepts connections when the certificate host name fails validation and Verify-Host is enabled, which allows man-in-the-middle attackers to obtain repository credentials via unspecified vectors.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian | Advanced Package Tool | <= 0.8.10.3 |
| Canonical | Ubuntu Linux | 8.04 |
Related Weaknesses (CWE)
References
- http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3634.html
- http://www.ubuntu.com/usn/USN-1283-1
- https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=apt/apt.git%3Ba=bl
- https://bugs.launchpad.net/ubuntu/+source/apt/+bug/868353
- http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3634.html
- http://www.ubuntu.com/usn/USN-1283-1
- https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=apt/apt.git%3Ba=bl
- https://bugs.launchpad.net/ubuntu/+source/apt/+bug/868353
FAQ
What is CVE-2011-3634?
CVE-2011-3634 is a vulnerability with a CVSS score of 2.6 (LOW). methods/https.cc in apt before 0.8.11 accepts connections when the certificate host name fails validation and Verify-Host is enabled, which allows man-in-the-middle attackers to obtain repository cred...
How severe is CVE-2011-3634?
CVE-2011-3634 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2011-3634?
Check the references section above for vendor advisories and patch information. Affected products include: Debian Advanced Package Tool, Canonical Ubuntu Linux.