CVE-2012-3587

low

Published 2012-06-19 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

2.6

Description

APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install Trojan horse packages via a man-in-the-middle (MITM) attack.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`0.7.25`
sid	Fixed	`0.7.25`
forky	Fixed	`0.7.25`
bullseye	Fixed	`0.7.25`
bookworm	Fixed	`0.7.25`

Application impact

Vendor	Product	Versions
debian	advanced_package_tool	`0.7.0`
debian	advanced_package_tool	`0.7.1`
debian	advanced_package_tool	`0.7.2`
debian	advanced_package_tool	`0.7.2-0.1`
debian	advanced_package_tool	`0.7.10`
debian	advanced_package_tool	`0.7.11`
debian	advanced_package_tool	`0.7.12`
debian	advanced_package_tool	`0.7.13`
debian	advanced_package_tool	`0.7.14`
debian	advanced_package_tool	`0.7.15`
debian	advanced_package_tool	`0.7.16`
debian	advanced_package_tool	`0.7.17`
debian	advanced_package_tool	`0.7.18`
debian	advanced_package_tool	`0.7.19`
debian	advanced_package_tool	`0.7.20`
debian	advanced_package_tool	`0.7.20.1`
debian	advanced_package_tool	`0.7.20.2`
debian	advanced_package_tool	`0.7.21`
debian	advanced_package_tool	`0.7.22`
debian	advanced_package_tool	`0.7.22.1`
debian	advanced_package_tool	`0.7.22.2`
debian	advanced_package_tool	`0.7.23`
debian	advanced_package_tool	`0.7.23.1`
debian	advanced_package_tool	`0.7.24`
debian	advanced_package_tool	`0.8.0`
debian	advanced_package_tool	`0.8.1`
debian	advanced_package_tool	`0.8.10`
debian	advanced_package_tool	`0.8.10.1`
debian	advanced_package_tool	`0.8.10.2`
debian	advanced_package_tool	`0.8.10.3`
debian	advanced_package_tool	`0.8.11`
debian	advanced_package_tool	`0.8.11.1`
debian	advanced_package_tool	`0.8.11.2`
debian	advanced_package_tool	`0.8.11.3`
debian	advanced_package_tool	`0.8.11.4`
debian	advanced_package_tool	`0.8.11.5`
debian	advanced_package_tool	`0.8.12`
debian	advanced_package_tool	`0.8.13`
debian	advanced_package_tool	`0.8.13.1`
debian	advanced_package_tool	`0.8.13.2`
debian	advanced_package_tool	`0.8.14`
debian	advanced_package_tool	`0.8.14.1`
debian	advanced_package_tool	`0.8.15`
debian	advanced_package_tool	`0.8.15.1`
debian	advanced_package_tool	`0.8.15.6`
debian	advanced_package_tool	`0.8.15.7`
debian	advanced_package_tool	`0.8.15.8`
debian	advanced_package_tool	`0.8.15.9`
debian	advanced_package_tool	`0.8.15.10`

References

CWEs

CWE-20

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.