Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits: a1370ab8 by Markus Koschany at 2022-12-25T22:52:27+01:00 CVE-2022-46392,mbedtls: mark Buster as postponed Minor issue because an attacker must be able to observe the victim performing a single private-key operation / control the entire operating system which is very hard to achieve. The vulnerable code is most likely in library/bignum.c - - - - - 3d87aedf by Markus Koschany at 2022-12-26T00:27:38+01:00 Reserve DLA-3249-1 for mbedtls - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -5765,7 +5765,9 @@ CVE-2022-46393 (An issue was discovered in Mbed TLS before 2.28.2 and 3.x before NOTE: Fixed by https://github.com/Mbed-TLS/mbedtls/commit/f385fcebee017973cf4137333628a78248f1f443 CVE-2022-46392 (An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0 ...) - mbedtls 2.28.2-1 + [buster] - mbedtls <postponed> (Minor issue) NOTE: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2 + NOTE: Issue is most likely related to library/bignum.c and the mbedtls_mpi_exp_mod function. CVE-2022-46391 (AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to print ...) {DLA-3225-1} - awstats 7.8-3 (bug #1025410) @@ -107695,30 +107697,24 @@ CVE-2020-36427 (GNOME gThumb before 3.10.1 allows an application crash via a mal NOTE: Crash in CLI tool, no security impact CVE-2020-36426 (An issue was discovered in Arm Mbed TLS before 2.24.0. mbedtls_x509_cr ...) - mbedtls 2.16.9-0.1 - [buster] - mbedtls <no-dsa> (Minor issue) [stretch] - mbedtls <no-dsa> (Minor issue) CVE-2020-36425 (An issue was discovered in Arm Mbed TLS before 2.24.0. It incorrectly ...) - mbedtls 2.16.9-0.1 - [buster] - mbedtls <no-dsa> (Minor issue) [stretch] - mbedtls <no-dsa> (Minor issue) NOTE: https://github.com/ARMmbed/mbedtls/issues/3340 NOTE: https://github.com/ARMmbed/mbedtls/pull/3433 CVE-2020-36424 (An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can ...) - mbedtls 2.16.9-0.1 - [buster] - mbedtls <no-dsa> (Minor issue) [stretch] - mbedtls <no-dsa> (Minor issue) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2 CVE-2020-36423 (An issue was discovered in Arm Mbed TLS before 2.23.0. A remote attack ...) - mbedtls 2.16.9-0.1 - [buster] - mbedtls <no-dsa> (Minor issue) [stretch] - mbedtls <no-dsa> (Minor issue) CVE-2020-36422 (An issue was discovered in Arm Mbed TLS before 2.23.0. A side channel ...) - mbedtls 2.16.9-0.1 - [buster] - mbedtls <no-dsa> (Minor issue) [stretch] - mbedtls <no-dsa> (Minor issue) CVE-2020-36421 (An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a si ...) - mbedtls 2.16.9-0.1 - [buster] - mbedtls <no-dsa> (Minor issue) [stretch] - mbedtls <no-dsa> (Minor issue) NOTE: https://github.com/ARMmbed/mbedtls/issues/3394 CVE-2021-36774 (Apache Kylin allows users to read data from other database systems usi ...) @@ -139630,7 +139626,6 @@ CVE-2021-24119 (In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerabilit {DLA-2826-1} - mbedtls 2.16.11-0.1 [bullseye] - mbedtls <no-dsa> (Minor issue) - [buster] - mbedtls <no-dsa> (Minor issue) NOTE: Fixed in 2.26.0: https://github.com/ARMmbed/mbedtls/releases/tag/v2.26.0 CVE-2021-24118 RESERVED @@ -188531,7 +188526,6 @@ CVE-2020-16151 RESERVED CVE-2020-16150 (A Lucky 13 timing side channel in mbedtls_ssl_decrypt_buf in library/s ...) - mbedtls 2.16.9-0.1 (bug #972806) - [buster] - mbedtls <no-dsa> (Minor issue) [stretch] - mbedtls <no-dsa> (Minor issue) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1 CVE-2020-16149 @@ -204034,7 +204028,6 @@ CVE-2020-10942 (In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhos NOTE: https://git.kernel.org/linus/42d84c8490f9f0931786f1623191fcab397c3d64 (5.6-rc4) CVE-2020-10941 (Arm Mbed TLS before 2.16.5 allows attackers to obtain sensitive inform ...) - mbedtls 2.16.5-1 - [buster] - mbedtls <no-dsa> (Minor issue) [stretch] - mbedtls <no-dsa> (Minor issue) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02 CVE-2020-10940 (Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER ...) @@ -204078,7 +204071,6 @@ CVE-2020-10933 (An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x throu NOTE: and https://github.com/ruby/ruby/commit/ba5eb6458a7e9a41ee76cfe45b84f997600681dc CVE-2020-10932 (An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before ...) - mbedtls 2.16.9-0.1 (bug #963159) - [buster] - mbedtls <no-dsa> (Minor issue) [stretch] - mbedtls <no-dsa> (Minor issue) NOTE: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-04 @@ -234750,7 +234742,6 @@ CVE-2019-18223 (ZOOM International Call Recording 6.3.1 suffers from multiple au NOT-FOR-US: ZOOM International Call Recording CVE-2019-18222 (The ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto 2.1 a ...) - mbedtls 2.16.4-1 - [buster] - mbedtls <no-dsa> (Minor issue) [stretch] - mbedtls <no-dsa> (Minor issue) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12 NOTE: Fixed upstream in 2.20.0, 2.16.4 and 2.7.13 @@ -239198,7 +239189,6 @@ CVE-2019-16911 RESERVED CVE-2019-16910 (Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when dete ...) - mbedtls 2.16.3-1 (bug #941265) - [buster] - mbedtls <no-dsa> (Minor issue) [stretch] - mbedtls <no-dsa> (Minor issue) - polarssl <removed> [jessie] - polarssl <no-dsa> (Minor issue, backport intrusive because of API changes) ===================================== data/DLA/list ===================================== @@ -1,3 +1,6 @@ +[26 Dec 2022] DLA-3249-1 mbedtls - security update + {CVE-2019-16910 CVE-2019-18222 CVE-2020-10932 CVE-2020-10941 CVE-2020-16150 CVE-2020-36421 CVE-2020-36422 CVE-2020-36423 CVE-2020-36424 CVE-2020-36425 CVE-2020-36426 CVE-2020-36475 CVE-2020-36476 CVE-2020-36478 CVE-2021-24119 CVE-2021-43666 CVE-2021-44732 CVE-2022-35409} + [buster] - mbedtls 2.16.9-0~deb10u1 [24 Dec 2022] DLA-3248-1 libksba - security update {CVE-2022-47629} [buster] - libksba 1.3.5-2+deb10u2 ===================================== data/dla-needed.txt ===================================== @@ -140,9 +140,6 @@ man2html NOTE: 20221004: It looks like not patch is available. NOTE: 20221004: Please evalulate, whether the issue can be marked as <ignored>. -- -mbedtls (Markus Koschany) - NOTE: 20220821: Programming language: C. --- modsecurity-crs NOTE: 20221006: Programming language: Other. NOTE: 20221006: Maintainer notes: Please contact maintainer. Consider uploading of newer version. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3707a9802f801ac1a818d444bb15e4821d81f29e...3d87aedfa44c5c3fce17b58a7512d0a542172756 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3707a9802f801ac1a818d444bb15e4821d81f29e...3d87aedfa44c5c3fce17b58a7512d0a542172756 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits