112 lines
4.3 KiB
JSON
112 lines
4.3 KiB
JSON
{
|
|
"Definition": [
|
|
{
|
|
"ID": "oval:org.altlinux.errata:def:20212104",
|
|
"Version": "oval:org.altlinux.errata:def:20212104",
|
|
"Class": "patch",
|
|
"Metadata": {
|
|
"Title": "ALT-PU-2021-2104: package `libcryptopp` update to version 8.5.0-alt1",
|
|
"AffectedList": [
|
|
{
|
|
"Family": "unix",
|
|
"Platforms": [
|
|
"ALT Linux branch c10f1"
|
|
],
|
|
"Products": [
|
|
"ALT SP Workstation",
|
|
"ALT SP Server"
|
|
]
|
|
}
|
|
],
|
|
"References": [
|
|
{
|
|
"RefID": "ALT-PU-2021-2104",
|
|
"RefURL": "https://errata.altlinux.org/ALT-PU-2021-2104",
|
|
"Source": "ALTPU"
|
|
},
|
|
{
|
|
"RefID": "CVE-2019-14318",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-14318",
|
|
"Source": "CVE"
|
|
},
|
|
{
|
|
"RefID": "CVE-2021-40530",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-40530",
|
|
"Source": "CVE"
|
|
}
|
|
],
|
|
"Description": "This update upgrades libcryptopp to version 8.5.0-alt1. \nSecurity Fix(es):\n\n * CVE-2019-14318: Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA signature generation. This allows a local or remote attacker, able to measure the duration of hundreds to thousands of signing operations, to compute the private key used. The issue occurs because scalar multiplication in ecp.cpp (prime field curves, small leakage) and algebra.cpp (binary field curves, large leakage) is not constant time and leaks the bit length of the scalar among other information.\n\n * CVE-2021-40530: The ElGamal implementation in Crypto++ through 8.5 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.",
|
|
"Advisory": {
|
|
"From": "errata.altlinux.org",
|
|
"Severity": "Low",
|
|
"Rights": "Copyright 2024 BaseALT Ltd.",
|
|
"Issued": {
|
|
"Date": "2021-07-01"
|
|
},
|
|
"Updated": {
|
|
"Date": "2021-07-01"
|
|
},
|
|
"BDUs": null,
|
|
"CVEs": [
|
|
{
|
|
"ID": "CVE-2019-14318",
|
|
"CVSS": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
|
|
"CVSS3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
|
"CWE": "CWE-417",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-14318",
|
|
"Impact": "Low",
|
|
"Public": "20190730"
|
|
},
|
|
{
|
|
"ID": "CVE-2021-40530",
|
|
"CVSS": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
|
|
"CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
|
"CWE": "CWE-327",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-40530",
|
|
"Impact": "Low",
|
|
"Public": "20210906"
|
|
}
|
|
],
|
|
"AffectedCPEs": {
|
|
"CPEs": [
|
|
"cpe:/o:alt:spworkstation:10",
|
|
"cpe:/o:alt:spserver:10"
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"Criteria": {
|
|
"Operator": "AND",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:4001",
|
|
"Comment": "ALT Linux must be installed"
|
|
}
|
|
],
|
|
"Criterias": [
|
|
{
|
|
"Operator": "OR",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20212104001",
|
|
"Comment": "libcryptopp is earlier than 0:8.5.0-alt1"
|
|
},
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20212104002",
|
|
"Comment": "libcryptopp-devel is earlier than 0:8.5.0-alt1"
|
|
},
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20212104003",
|
|
"Comment": "libcryptopp-devel-static is earlier than 0:8.5.0-alt1"
|
|
},
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20212104004",
|
|
"Comment": "libcryptopp-progs is earlier than 0:8.5.0-alt1"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
} |