|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2015-8313: gnutls: First byte of the padding in CBC mode is not checked | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Marcus Meissner <meissner> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | astieger, smash_bz, vcizek |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/159295/ | ||
| Whiteboard: | CVSSv2:SUSE:CVE-2015-8313:2.6:(AV:N/AC:H/Au:N/C:P/I:N/A:N) CVSSv2:RedHat:CVE-2015-8313:2.6:(AV:N/AC:H/Au:N/C:P/I:N/A:N) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: | 42_CVE-2015-8313.diff | ||
|
Description
Marcus Meissner
2015-12-02 12:45:53 UTC
Created attachment 658081 [details]
42_CVE-2015-8313.diff
debian patch
SLE12 with gnutls 3.2.15 has slightly different code and is fixed. SLES 10 , SLES 11 are affected. (actually SLES 12 is fixed better as it has a constant time padding check, which the old code does not have) Issue is related to CVE-2013-1619. https://blog.hboeck.de/archives/877-A-little-POODLE-left-in-GnuTLS-old-versions.html SLE-11 code omits two bytes: 561 if (ver >= GNUTLS_TLS1 && pad_failed == 0) 562 for (i = 2; i < pad; i++) An update workflow for this issue was started. This issue was rated as "moderate". Please submit fixed packages until "Dec. 16, 2015". When done, reassign the bug to "security-team@suse.de". /update/121076/. An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-12-16. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62360 An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-12-16. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62361 An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-12-16. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62362 SUSE-SU-2016:0077-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 924828,947271,957568 CVE References: CVE-2015-2806,CVE-2015-8313 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): gnutls-2.4.1-24.39.60.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): gnutls-2.4.1-24.39.60.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): gnutls-2.4.1-24.39.60.1 SUSE Linux Enterprise Server 11-SP4 (src): gnutls-2.4.1-24.39.60.1 SUSE Linux Enterprise Server 11-SP3 (src): gnutls-2.4.1-24.39.60.1 SUSE Linux Enterprise High Availability Extension 11-SP4 (src): gnutls-2.4.1-24.39.60.1 SUSE Linux Enterprise High Availability Extension 11-SP3 (src): gnutls-2.4.1-24.39.60.1 SUSE Linux Enterprise Desktop 11-SP4 (src): gnutls-2.4.1-24.39.60.1 SUSE Linux Enterprise Desktop 11-SP3 (src): gnutls-2.4.1-24.39.60.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): gnutls-2.4.1-24.39.60.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): gnutls-2.4.1-24.39.60.1 |