Information disclosure in Canonical Ubuntu_linux

CVE-2011-3634

methods/https.cc in apt before 0.8.11 accepts connections when the certificate host name fails validation and Verify-Host is enabled, which allows man-in-the-middle attackers to obtain repository credentials via unspecified vectors.

Vulnerability class: Information Disclosure

EPSS: 0.008 (51.5th percentile) — read the EPSS interpretation.

Affected products

Canonical Ubuntu_linux — versions 8.04, 10.04, 10.10
Debian Advanced_package_tool — versions 0.8.0, 0.8.1, 0.8.10
N/a — versions n/a

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

secalert@redhat.com (x_refsource_UBUNTU, vendor-advisory)
secalert@redhat.com (x_refsource_CONFIRM)
secalert@redhat.com (x_refsource_CONFIRM)
secalert@redhat.com (x_refsource_CONFIRM)