CVE-2011-3634
Advanced Package Tool < 0.8.11 - Repository Credential Exposure via Invalid Certificate Host Name
Title source: llmDescription
methods/https.cc in apt before 0.8.11 accepts connections when the certificate host name fails validation and Verify-Host is enabled, which allows man-in-the-middle attackers to obtain repository credentials via unspecified vectors.
References (4)
Core 4
Core References
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1283-1
Various Sources x_refsource_confirm
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=apt/apt.git%3Ba=blob%3Bf=debian/changelog%3Bhb=HEAD
Various Sources x_refsource_confirm
http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3634.html
Issue Tracking x_refsource_confirm
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/868353
Scores
EPSS
0.0080
EPSS Percentile
52.2%
Details
CWE
CWE-200
Status
published
Products (10)
canonical/ubuntu_linux
8.04
canonical/ubuntu_linux
10.04
canonical/ubuntu_linux
10.10
canonical/ubuntu_linux
11.04
debian/advanced_package_tool
0.8.0 (3 CPE variants)
debian/advanced_package_tool
0.8.1
debian/advanced_package_tool
0.8.10
debian/advanced_package_tool
0.8.10.1
debian/advanced_package_tool
0.8.10.2
debian/advanced_package_tool
< 0.8.10.3
Published
Mar 01, 2014
Tracked Since
Feb 18, 2026