Branch p9 update bulletin.

Package libgcrypt updated to version 1.8.5-alt3 for branch p9 in task 239665.

Published: 2020-01-13

BDU:2020-01727

Уязвимость криптографической библиотеки Python ECDSA, связанная с недостаточной обработкой исключительных состояний, позволяющая нарушителю вызвать отказ в обслуживании

Severity: LOW (3.6) Vector: AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

References:

CVE-2019-13627

Published: 2019-06-20
Modified: 2024-11-21

CVE-2019-12904

In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) NOTE: the vendor's position is that the issue report cannot be validated because there is no description of an attack

Severity: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Published: 2019-09-25
Modified: 2024-11-21

CVE-2019-13627

It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.

Severity: MEDIUM (6.3) Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

References:

Package gnupg2 updated to version 2.2.17-alt8 for branch p9 in task 239665.

Published: 2019-06-29

BDU:2019-02942

Уязвимость сетевого программного средства SKS Keyserver и программы для шифрования информации и создания электронных цифровых подписей GNU Privacy Guard (GnuPG), связанная с отсутствием проверки хостовых данных сертификата, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

CVE-2019-13050

Published: 2019-06-29
Modified: 2024-11-21

CVE-2019-13050

Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Package flac updated to version 1.3.3-alt1 for branch p9 in task 249557.

Published: 2017-03-14

BDU:2021-03353

Уязвимость функции read_metadata_vorbiscomment_() компонента src/libFLAC/stream_decoder.c аудиокодека FLAC, связанная с отсутствием освобождения ресурса после истечения действительного срока его эксплуатирования, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (6.5) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

CVE-2017-6888

Published: 2018-04-26
Modified: 2024-11-21

CVE-2017-6888

An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited to cause a memory leak via a specially crafted FLAC file.

Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Package installer-feature-setup-plymouth updated to version 0.5.5-alt2 for branch p9 in task 249563.

Не включает plymouth без LUKS

Version: 2.1.0

Branch p9 update on 2020-04-10

ALT-BU-2020-3753-1

ALT-PU-2020-1687-1

Closed vulnerabilities

BDU:2020-01727

CVE-2019-12904

CVE-2019-13627

ALT-PU-2020-1688-1

Closed vulnerabilities

BDU:2019-02942

CVE-2019-13050

ALT-PU-2020-1697-1

Closed vulnerabilities

BDU:2021-03353

CVE-2017-6888

ALT-PU-2020-1698-1

Closed bugs

Bug #38328