229 lines
11 KiB
JSON
229 lines
11 KiB
JSON
{
|
||
"Definition": [
|
||
{
|
||
"ID": "oval:org.altlinux.errata:def:20202355",
|
||
"Version": "oval:org.altlinux.errata:def:20202355",
|
||
"Class": "patch",
|
||
"Metadata": {
|
||
"Title": "ALT-PU-2020-2355: package `mbedtls` update to version 2.23.0-alt1",
|
||
"AffectedList": [
|
||
{
|
||
"Family": "unix",
|
||
"Platforms": [
|
||
"ALT Linux branch c9f2"
|
||
],
|
||
"Products": [
|
||
"ALT SPWorkstation",
|
||
"ALT SPServer"
|
||
]
|
||
}
|
||
],
|
||
"References": [
|
||
{
|
||
"RefID": "ALT-PU-2020-2355",
|
||
"RefURL": "https://errata.altlinux.org/ALT-PU-2020-2355",
|
||
"Source": "ALTPU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2020-02674",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2020-02674",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2022-01830",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2022-01830",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2022-02080",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2022-02080",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2022-02083",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2022-02083",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "CVE-2019-18222",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-18222",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2020-10932",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-10932",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2020-10941",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-10941",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2020-36421",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-36421",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2020-36422",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-36422",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2020-36423",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-36423",
|
||
"Source": "CVE"
|
||
}
|
||
],
|
||
"Description": "This update upgrades mbedtls to version 2.23.0-alt1. \nSecurity Fix(es):\n\n * BDU:2020-02674: Уязвимость реализации протоколов TLS и SSL программного обеспечения Mbed TLS, связанная с непринятием мер по шифрованию защищаемых данных, позволяющая нарушителю раскрыть закрытый ключ RSA\n\n * BDU:2022-01830: Уязвимость функций mbedtls_ecp_check_pub_priv, mbedtls_pk_parse_key, mbedtls_pk_parse_keyfile, mbedtls_ecp_mul, mbedtls_ecp_mul_restartable реализации протоколов TLS и SSL Mbed TLS, позволяющая нарушителю получить доступ к конфиденциальным данным\n\n * BDU:2022-02080: Уязвимость реализации протоколов TLS и SSL Mbed TLS, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю получить доступ к конфиденциальным данным\n\n * BDU:2022-02083: Уязвимость реализации протоколов TLS и SSL Mbed TLS, связанная с раскрытием информации через несоответствие, позволяющая нарушителю получить доступ к конфиденциальным данным\n\n * CVE-2019-18222: The ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto 2.1 and Mbed TLS through 2.19.1 does not reduce the blinded scalar before computing the inverse, which allows a local attacker to recover the private key via side-channel attacks.\n\n * CVE-2020-10932: An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before 2.7.15. An attacker that can get precise enough side-channel measurements can recover the long-term ECDSA private key by (1) reconstructing the projective coordinate of the result of scalar multiplication by exploiting side channels in the conversion to affine coordinates; (2) using an attack described by Naccache, Smart, and Stern in 2003 to recover a few bits of the ephemeral scalar from those projective coordinates via several measurements; and (3) using a lattice attack to get from there to the long-term ECDSA private key used for the signatures. Typically an attacker would have sufficient access when attacking an SGX enclave and controlling the untrusted OS.\n\n * CVE-2020-10941: Arm Mbed TLS before 2.16.5 allows attackers to obtain sensitive information (an RSA private key) by measuring cache usage during an import.\n\n * CVE-2020-36421: An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a side channel in modular exponentiation, an RSA private key used in a secure enclave could be disclosed.\n\n * CVE-2020-36422: An issue was discovered in Arm Mbed TLS before 2.23.0. A side channel allows recovery of an ECC private key, related to mbedtls_ecp_check_pub_priv, mbedtls_pk_parse_key, mbedtls_pk_parse_keyfile, mbedtls_ecp_mul, and mbedtls_ecp_mul_restartable.\n\n * CVE-2020-36423: An issue was discovered in Arm Mbed TLS before 2.23.0. A remote attacker can recover plaintext because a certain Lucky 13 countermeasure doesn't properly consider the case of a hardware accelerator.",
|
||
"Advisory": {
|
||
"From": "errata.altlinux.org",
|
||
"Severity": "High",
|
||
"Rights": "Copyright 2024 BaseALT Ltd.",
|
||
"Issued": {
|
||
"Date": "2020-07-13"
|
||
},
|
||
"Updated": {
|
||
"Date": "2020-07-13"
|
||
},
|
||
"BDUs": [
|
||
{
|
||
"ID": "BDU:2020-02674",
|
||
"CVSS": "AV:N/AC:H/Au:N/C:C/I:N/A:N",
|
||
"CVSS3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
||
"CWE": "CWE-311",
|
||
"Href": "https://bdu.fstec.ru/vul/2020-02674",
|
||
"Impact": "Low",
|
||
"Public": "20200324"
|
||
},
|
||
{
|
||
"ID": "BDU:2022-01830",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
|
||
"CWE": "CWE-203",
|
||
"Href": "https://bdu.fstec.ru/vul/2022-01830",
|
||
"Impact": "Low",
|
||
"Public": "20200620"
|
||
},
|
||
{
|
||
"ID": "BDU:2022-02080",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
||
"CWE": "CWE-319",
|
||
"Href": "https://bdu.fstec.ru/vul/2022-02080",
|
||
"Impact": "High",
|
||
"Public": "20210719"
|
||
},
|
||
{
|
||
"ID": "BDU:2022-02083",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
|
||
"CWE": "CWE-203",
|
||
"Href": "https://bdu.fstec.ru/vul/2022-02083",
|
||
"Impact": "Low",
|
||
"Public": "20210719"
|
||
}
|
||
],
|
||
"CVEs": [
|
||
{
|
||
"ID": "CVE-2019-18222",
|
||
"CVSS": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
|
||
"CWE": "CWE-203",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-18222",
|
||
"Impact": "Low",
|
||
"Public": "20200123"
|
||
},
|
||
{
|
||
"ID": "CVE-2020-10932",
|
||
"CVSS": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
|
||
"CWE": "CWE-327",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-10932",
|
||
"Impact": "Low",
|
||
"Public": "20200415"
|
||
},
|
||
{
|
||
"ID": "CVE-2020-10941",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
||
"CWE": "NVD-CWE-noinfo",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-10941",
|
||
"Impact": "Low",
|
||
"Public": "20200324"
|
||
},
|
||
{
|
||
"ID": "CVE-2020-36421",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
|
||
"CWE": "CWE-203",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-36421",
|
||
"Impact": "Low",
|
||
"Public": "20210719"
|
||
},
|
||
{
|
||
"ID": "CVE-2020-36422",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
|
||
"CWE": "CWE-203",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-36422",
|
||
"Impact": "Low",
|
||
"Public": "20210719"
|
||
},
|
||
{
|
||
"ID": "CVE-2020-36423",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
||
"CWE": "CWE-319",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-36423",
|
||
"Impact": "High",
|
||
"Public": "20210719"
|
||
}
|
||
],
|
||
"AffectedCPEs": {
|
||
"CPEs": [
|
||
"cpe:/o:alt:spworkstation:8.4",
|
||
"cpe:/o:alt:spserver:8.4"
|
||
]
|
||
}
|
||
}
|
||
},
|
||
"Criteria": {
|
||
"Operator": "AND",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:4001",
|
||
"Comment": "ALT Linux must be installed"
|
||
}
|
||
],
|
||
"Criterias": [
|
||
{
|
||
"Operator": "OR",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20202355001",
|
||
"Comment": "libmbedcrypto5 is earlier than 0:2.23.0-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20202355002",
|
||
"Comment": "libmbedtls-devel is earlier than 0:2.23.0-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20202355003",
|
||
"Comment": "libmbedtls13 is earlier than 0:2.23.0-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20202355004",
|
||
"Comment": "libmbedx509-1 is earlier than 0:2.23.0-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20202355005",
|
||
"Comment": "mbedtls-utils is earlier than 0:2.23.0-alt1"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
} |