[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2022-46392,mbedtls: mark Buster as postponed

Sun Dec 25 23:27:51 GMT 2022


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a1370ab8 by Markus Koschany at 2022-12-25T22:52:27+01:00
CVE-2022-46392,mbedtls: mark Buster as postponed

Minor issue because an attacker must be able to observe the victim performing a
single private-key operation / control the entire operating system which is very hard to achieve.
The vulnerable code is most likely in library/bignum.c

- - - - -
3d87aedf by Markus Koschany at 2022-12-26T00:27:38+01:00
Reserve DLA-3249-1 for mbedtls

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -5765,7 +5765,9 @@ CVE-2022-46393 (An issue was discovered in Mbed TLS before 2.28.2 and 3.x before
 	NOTE: Fixed by https://github.com/Mbed-TLS/mbedtls/commit/f385fcebee017973cf4137333628a78248f1f443
 CVE-2022-46392 (An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0 ...)
 	- mbedtls 2.28.2-1
+	[buster] - mbedtls <postponed> (Minor issue)
 	NOTE: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2
+	NOTE: Issue is most likely related to library/bignum.c and the mbedtls_mpi_exp_mod function.
 CVE-2022-46391 (AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to print ...)
 	{DLA-3225-1}
 	- awstats 7.8-3 (bug #1025410)
@@ -107695,30 +107697,24 @@ CVE-2020-36427 (GNOME gThumb before 3.10.1 allows an application crash via a mal
 	NOTE: Crash in CLI tool, no security impact
 CVE-2020-36426 (An issue was discovered in Arm Mbed TLS before 2.24.0. mbedtls_x509_cr ...)
 	- mbedtls 2.16.9-0.1
-	[buster] - mbedtls <no-dsa> (Minor issue)
 	[stretch] - mbedtls <no-dsa> (Minor issue)
 CVE-2020-36425 (An issue was discovered in Arm Mbed TLS before 2.24.0. It incorrectly  ...)
 	- mbedtls 2.16.9-0.1
-	[buster] - mbedtls <no-dsa> (Minor issue)
 	[stretch] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://github.com/ARMmbed/mbedtls/issues/3340
 	NOTE: https://github.com/ARMmbed/mbedtls/pull/3433
 CVE-2020-36424 (An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can ...)
 	- mbedtls 2.16.9-0.1
-	[buster] - mbedtls <no-dsa> (Minor issue)
 	[stretch] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2
 CVE-2020-36423 (An issue was discovered in Arm Mbed TLS before 2.23.0. A remote attack ...)
 	- mbedtls 2.16.9-0.1
-	[buster] - mbedtls <no-dsa> (Minor issue)
 	[stretch] - mbedtls <no-dsa> (Minor issue)
 CVE-2020-36422 (An issue was discovered in Arm Mbed TLS before 2.23.0. A side channel  ...)
 	- mbedtls 2.16.9-0.1
-	[buster] - mbedtls <no-dsa> (Minor issue)
 	[stretch] - mbedtls <no-dsa> (Minor issue)
 CVE-2020-36421 (An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a si ...)
 	- mbedtls 2.16.9-0.1
-	[buster] - mbedtls <no-dsa> (Minor issue)
 	[stretch] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://github.com/ARMmbed/mbedtls/issues/3394
 CVE-2021-36774 (Apache Kylin allows users to read data from other database systems usi ...)
@@ -139630,7 +139626,6 @@ CVE-2021-24119 (In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerabilit
 	{DLA-2826-1}
 	- mbedtls 2.16.11-0.1
 	[bullseye] - mbedtls <no-dsa> (Minor issue)
-	[buster] - mbedtls <no-dsa> (Minor issue)
 	NOTE: Fixed in 2.26.0: https://github.com/ARMmbed/mbedtls/releases/tag/v2.26.0
 CVE-2021-24118
 	RESERVED
@@ -188531,7 +188526,6 @@ CVE-2020-16151
 	RESERVED
 CVE-2020-16150 (A Lucky 13 timing side channel in mbedtls_ssl_decrypt_buf in library/s ...)
 	- mbedtls 2.16.9-0.1 (bug #972806)
-	[buster] - mbedtls <no-dsa> (Minor issue)
 	[stretch] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1
 CVE-2020-16149
@@ -204034,7 +204028,6 @@ CVE-2020-10942 (In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhos
 	NOTE: https://git.kernel.org/linus/42d84c8490f9f0931786f1623191fcab397c3d64 (5.6-rc4)
 CVE-2020-10941 (Arm Mbed TLS before 2.16.5 allows attackers to obtain sensitive inform ...)
 	- mbedtls 2.16.5-1
-	[buster] - mbedtls <no-dsa> (Minor issue)
 	[stretch] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02
 CVE-2020-10940 (Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER ...)
@@ -204078,7 +204071,6 @@ CVE-2020-10933 (An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x throu
 	NOTE: and https://github.com/ruby/ruby/commit/ba5eb6458a7e9a41ee76cfe45b84f997600681dc
 CVE-2020-10932 (An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before ...)
 	- mbedtls 2.16.9-0.1 (bug #963159)
-	[buster] - mbedtls <no-dsa> (Minor issue)
 	[stretch] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released
 	NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-04
@@ -234750,7 +234742,6 @@ CVE-2019-18223 (ZOOM International Call Recording 6.3.1 suffers from multiple au
 	NOT-FOR-US: ZOOM International Call Recording
 CVE-2019-18222 (The ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto 2.1 a ...)
 	- mbedtls 2.16.4-1
-	[buster] - mbedtls <no-dsa> (Minor issue)
 	[stretch] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12
 	NOTE: Fixed upstream in 2.20.0, 2.16.4 and 2.7.13
@@ -239198,7 +239189,6 @@ CVE-2019-16911
 	RESERVED
 CVE-2019-16910 (Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when dete ...)
 	- mbedtls 2.16.3-1 (bug #941265)
-	[buster] - mbedtls <no-dsa> (Minor issue)
 	[stretch] - mbedtls <no-dsa> (Minor issue)
 	- polarssl <removed>
 	[jessie] - polarssl <no-dsa> (Minor issue, backport intrusive because of API changes)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[26 Dec 2022] DLA-3249-1 mbedtls - security update
+	{CVE-2019-16910 CVE-2019-18222 CVE-2020-10932 CVE-2020-10941 CVE-2020-16150 CVE-2020-36421 CVE-2020-36422 CVE-2020-36423 CVE-2020-36424 CVE-2020-36425 CVE-2020-36426 CVE-2020-36475 CVE-2020-36476 CVE-2020-36478 CVE-2021-24119 CVE-2021-43666 CVE-2021-44732 CVE-2022-35409}
+	[buster] - mbedtls 2.16.9-0~deb10u1
 [24 Dec 2022] DLA-3248-1 libksba - security update
 	{CVE-2022-47629}
 	[buster] - libksba 1.3.5-2+deb10u2


=====================================
data/dla-needed.txt
=====================================
@@ -140,9 +140,6 @@ man2html
   NOTE: 20221004: It looks like not patch is available.
   NOTE: 20221004: Please evalulate, whether the issue can be marked as <ignored>.
 --
-mbedtls (Markus Koschany)
-  NOTE: 20220821: Programming language: C.
---
 modsecurity-crs
   NOTE: 20221006: Programming language: Other.
   NOTE: 20221006: Maintainer notes: Please contact maintainer. Consider uploading of newer version.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3707a9802f801ac1a818d444bb15e4821d81f29e...3d87aedfa44c5c3fce17b58a7512d0a542172756

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3707a9802f801ac1a818d444bb15e4821d81f29e...3d87aedfa44c5c3fce17b58a7512d0a542172756
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221225/77dae749/attachment-0001.htm>
