pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vuln-list-alt/oval/p11/ALT-PU-2018-1495/definitions.json
pepelyaevip 9d72b75f75 ALT Vulnerability
2024-12-12 21:07:30 +00:00

163 lines
7.3 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20181495",
"Version": "oval:org.altlinux.errata:def:20181495",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2018-1495: package `mbedtls` update to version 2.8.0-alt1.S1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch p11"
],
"Products": [
"ALT Container"
]
}
],
"References": [
{
"RefID": "ALT-PU-2018-1495",
"RefURL": "https://errata.altlinux.org/ALT-PU-2018-1495",
"Source": "ALTPU"
},
{
"RefID": "BDU:2019-00068",
"RefURL": "https://bdu.fstec.ru/vul/2019-00068",
"Source": "BDU"
},
{
"RefID": "CVE-2018-1000520",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000520",
"Source": "CVE"
},
{
"RefID": "CVE-2018-19608",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-19608",
"Source": "CVE"
},
{
"RefID": "CVE-2018-9988",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-9988",
"Source": "CVE"
},
{
"RefID": "CVE-2018-9989",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-9989",
"Source": "CVE"
},
{
"RefID": "CVE-2020-10932",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-10932",
"Source": "CVE"
}
],
"Description": "This update upgrades mbedtls to version 2.8.0-alt1.S1. \nSecurity Fix(es):\n\n * BDU:2019-00068: Уязвимость реализации протоколов TLS и SSL программного обеспечения Mbed TLS, связанная с локальной синхронизацией при расшифровке RSA, позволяющая нарушителю получить доступ к защищаемой информации\n\n * CVE-2018-1000520: ARM mbedTLS version 2.7.0 and earlier contains a Ciphersuite Allows Incorrectly Signed Certificates vulnerability in mbedtls_ssl_get_verify_result() that can result in ECDSA-signed certificates are accepted, when only RSA-signed ones should be.. This attack appear to be exploitable via Peers negotiate a TLS-ECDH-RSA-* ciphersuite. Any of the peers can then provide an ECDSA-signed certificate, when only an RSA-signed one should be accepted..\n\n * CVE-2018-19608: Arm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 allows a local unprivileged attacker to recover the plaintext of RSA decryption, which is used in RSA-without-(EC)DH(E) cipher suites.\n\n * CVE-2018-9988: ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_key_exchange() that could cause a crash on invalid input.\n\n * CVE-2018-9989: ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_psk_hint() that could cause a crash on invalid input.\n\n * CVE-2020-10932: An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before 2.7.15. An attacker that can get precise enough side-channel measurements can recover the long-term ECDSA private key by (1) reconstructing the projective coordinate of the result of scalar multiplication by exploiting side channels in the conversion to affine coordinates; (2) using an attack described by Naccache, Smart, and Stern in 2003 to recover a few bits of the ephemeral scalar from those projective coordinates via several measurements; and (3) using a lattice attack to get from there to the long-term ECDSA private key used for the signatures. Typically an attacker would have sufficient access when attacking an SGX enclave and controlling the untrusted OS.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2018-03-26"
},
"Updated": {
"Date": "2018-03-26"
},
"BDUs": [
{
"ID": "BDU:2019-00068",
"CVSS": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"CVSS3": "AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-119, CWE-310",
"Href": "https://bdu.fstec.ru/vul/2019-00068",
"Impact": "Low",
"Public": "20181128"
}
],
"CVEs": [
{
"ID": "CVE-2018-1000520",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"CWE": "CWE-295",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000520",
"Impact": "High",
"Public": "20180626"
},
{
"ID": "CVE-2018-19608",
"CVSS": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"CVSS3": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-269",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-19608",
"Impact": "Low",
"Public": "20181205"
},
{
"ID": "CVE-2018-9988",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"CWE": "CWE-125",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-9988",
"Impact": "High",
"Public": "20180410"
},
{
"ID": "CVE-2018-9989",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"CWE": "CWE-125",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-9989",
"Impact": "High",
"Public": "20180410"
},
{
"ID": "CVE-2020-10932",
"CVSS": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"CVSS3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-327",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-10932",
"Impact": "Low",
"Public": "20200415"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:container:11"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:3001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20181495001",
"Comment": "libmbedtls-devel is earlier than 0:2.8.0-alt1.S1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20181495002",
"Comment": "libmbedtls10 is earlier than 0:2.8.0-alt1.S1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20181495003",
"Comment": "mbedtls-utils is earlier than 0:2.8.0-alt1.S1"
}
]
}
]
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink