Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a1370ab8 by Markus Koschany at 2022-12-25T22:52:27+01:00
CVE-2022-46392,mbedtls: mark Buster as postponed
Minor issue because an attacker must be able to observe the victim performing a
single private-key operation / control the entire operating system which is
very hard to achieve.
The vulnerable code is most likely in library/bignum.c
- - - - -
3d87aedf by Markus Koschany at 2022-12-26T00:27:38+01:00
Reserve DLA-3249-1 for mbedtls
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -5765,7 +5765,9 @@ CVE-2022-46393 (An issue was discovered in Mbed TLS
before 2.28.2 and 3.x before
NOTE: Fixed by
https://github.com/Mbed-TLS/mbedtls/commit/f385fcebee017973cf4137333628a78248f1f443
CVE-2022-46392 (An issue was discovered in Mbed TLS before 2.28.2 and 3.x
before 3.3.0 ...)
- mbedtls 2.28.2-1
+ [buster] - mbedtls <postponed> (Minor issue)
NOTE: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2
+ NOTE: Issue is most likely related to library/bignum.c and the
mbedtls_mpi_exp_mod function.
CVE-2022-46391 (AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due
to print ...)
{DLA-3225-1}
- awstats 7.8-3 (bug #1025410)
@@ -107695,30 +107697,24 @@ CVE-2020-36427 (GNOME gThumb before 3.10.1 allows
an application crash via a mal
NOTE: Crash in CLI tool, no security impact
CVE-2020-36426 (An issue was discovered in Arm Mbed TLS before 2.24.0.
mbedtls_x509_cr ...)
- mbedtls 2.16.9-0.1
- [buster] - mbedtls <no-dsa> (Minor issue)
[stretch] - mbedtls <no-dsa> (Minor issue)
CVE-2020-36425 (An issue was discovered in Arm Mbed TLS before 2.24.0. It
incorrectly ...)
- mbedtls 2.16.9-0.1
- [buster] - mbedtls <no-dsa> (Minor issue)
[stretch] - mbedtls <no-dsa> (Minor issue)
NOTE: https://github.com/ARMmbed/mbedtls/issues/3340
NOTE: https://github.com/ARMmbed/mbedtls/pull/3433
CVE-2020-36424 (An issue was discovered in Arm Mbed TLS before 2.24.0. An
attacker can ...)
- mbedtls 2.16.9-0.1
- [buster] - mbedtls <no-dsa> (Minor issue)
[stretch] - mbedtls <no-dsa> (Minor issue)
NOTE:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2
CVE-2020-36423 (An issue was discovered in Arm Mbed TLS before 2.23.0. A
remote attack ...)
- mbedtls 2.16.9-0.1
- [buster] - mbedtls <no-dsa> (Minor issue)
[stretch] - mbedtls <no-dsa> (Minor issue)
CVE-2020-36422 (An issue was discovered in Arm Mbed TLS before 2.23.0. A side
channel ...)
- mbedtls 2.16.9-0.1
- [buster] - mbedtls <no-dsa> (Minor issue)
[stretch] - mbedtls <no-dsa> (Minor issue)
CVE-2020-36421 (An issue was discovered in Arm Mbed TLS before 2.23.0. Because
of a si ...)
- mbedtls 2.16.9-0.1
- [buster] - mbedtls <no-dsa> (Minor issue)
[stretch] - mbedtls <no-dsa> (Minor issue)
NOTE: https://github.com/ARMmbed/mbedtls/issues/3394
CVE-2021-36774 (Apache Kylin allows users to read data from other database
systems usi ...)
@@ -139630,7 +139626,6 @@ CVE-2021-24119 (In Trusted Firmware Mbed TLS 2.24.0,
a side-channel vulnerabilit
{DLA-2826-1}
- mbedtls 2.16.11-0.1
[bullseye] - mbedtls <no-dsa> (Minor issue)
- [buster] - mbedtls <no-dsa> (Minor issue)
NOTE: Fixed in 2.26.0:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.26.0
CVE-2021-24118
RESERVED
@@ -188531,7 +188526,6 @@ CVE-2020-16151
RESERVED
CVE-2020-16150 (A Lucky 13 timing side channel in mbedtls_ssl_decrypt_buf in
library/s ...)
- mbedtls 2.16.9-0.1 (bug #972806)
- [buster] - mbedtls <no-dsa> (Minor issue)
[stretch] - mbedtls <no-dsa> (Minor issue)
NOTE:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1
CVE-2020-16149
@@ -204034,7 +204028,6 @@ CVE-2020-10942 (In the Linux kernel before 5.5.8,
get_raw_socket in drivers/vhos
NOTE:
https://git.kernel.org/linus/42d84c8490f9f0931786f1623191fcab397c3d64 (5.6-rc4)
CVE-2020-10941 (Arm Mbed TLS before 2.16.5 allows attackers to obtain
sensitive inform ...)
- mbedtls 2.16.5-1
- [buster] - mbedtls <no-dsa> (Minor issue)
[stretch] - mbedtls <no-dsa> (Minor issue)
NOTE:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02
CVE-2020-10940 (Local Privilege Escalation can occur in PHOENIX CONTACT
PORTICO SERVER ...)
@@ -204078,7 +204071,6 @@ CVE-2020-10933 (An issue was discovered in Ruby 2.5.x
through 2.5.7, 2.6.x throu
NOTE: and
https://github.com/ruby/ruby/commit/ba5eb6458a7e9a41ee76cfe45b84f997600681dc
CVE-2020-10932 (An issue was discovered in Arm Mbed TLS before 2.16.6 and
2.7.x before ...)
- mbedtls 2.16.9-0.1 (bug #963159)
- [buster] - mbedtls <no-dsa> (Minor issue)
[stretch] - mbedtls <no-dsa> (Minor issue)
NOTE:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released
NOTE:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-04
@@ -234750,7 +234742,6 @@ CVE-2019-18223 (ZOOM International Call Recording
6.3.1 suffers from multiple au
NOT-FOR-US: ZOOM International Call Recording
CVE-2019-18222 (The ECDSA signature implementation in ecdsa.c in Arm Mbed
Crypto 2.1 a ...)
- mbedtls 2.16.4-1
- [buster] - mbedtls <no-dsa> (Minor issue)
[stretch] - mbedtls <no-dsa> (Minor issue)
NOTE:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12
NOTE: Fixed upstream in 2.20.0, 2.16.4 and 2.7.13
@@ -239198,7 +239189,6 @@ CVE-2019-16911
RESERVED
CVE-2019-16910 (Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0,
when dete ...)
- mbedtls 2.16.3-1 (bug #941265)
- [buster] - mbedtls <no-dsa> (Minor issue)
[stretch] - mbedtls <no-dsa> (Minor issue)
- polarssl <removed>
[jessie] - polarssl <no-dsa> (Minor issue, backport intrusive because
of API changes)
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[26 Dec 2022] DLA-3249-1 mbedtls - security update
+ {CVE-2019-16910 CVE-2019-18222 CVE-2020-10932 CVE-2020-10941
CVE-2020-16150 CVE-2020-36421 CVE-2020-36422 CVE-2020-36423 CVE-2020-36424
CVE-2020-36425 CVE-2020-36426 CVE-2020-36475 CVE-2020-36476 CVE-2020-36478
CVE-2021-24119 CVE-2021-43666 CVE-2021-44732 CVE-2022-35409}
+ [buster] - mbedtls 2.16.9-0~deb10u1
[24 Dec 2022] DLA-3248-1 libksba - security update
{CVE-2022-47629}
[buster] - libksba 1.3.5-2+deb10u2
=====================================
data/dla-needed.txt
=====================================
@@ -140,9 +140,6 @@ man2html
NOTE: 20221004: It looks like not patch is available.
NOTE: 20221004: Please evalulate, whether the issue can be marked as
<ignored>.
--
-mbedtls (Markus Koschany)
- NOTE: 20220821: Programming language: C.
---
modsecurity-crs
NOTE: 20221006: Programming language: Other.
NOTE: 20221006: Maintainer notes: Please contact maintainer. Consider
uploading of newer version.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3707a9802f801ac1a818d444bb15e4821d81f29e...3d87aedfa44c5c3fce17b58a7512d0a542172756
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3707a9802f801ac1a818d444bb15e4821d81f29e...3d87aedfa44c5c3fce17b58a7512d0a542172756
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
