Bugzilla – Bug 1221528
VUL-0: CVE-2018-25099: perl-CryptX: gcm_decrypt_verify() and chacha20poly1305_decrypt_verify() do not verify the tag
Last modified: 2024-04-20 16:04:53 UTC
In the CryptX module before 0.062 for Perl, gcm_decrypt_verify() and chacha20poly1305_decrypt_verify() do not verify the tag. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-25099 https://www.cve.org/CVERecord?id=CVE-2018-25099 https://github.com/DCIT/perl-CryptX/issues/47 https://github.com/libtom/libtomcrypt/pull/451 https://metacpan.org/dist/CryptX/changes
This affects Backports and Factory only: openSUSE:Backports:SLE-15-SP5 openSUSE:Backports:SLE-15-SP6 openSUSE:Factory
Bug should be fixed in CryptX version 0.062. [...] 0.062 2018-10-30 - fix #47 gcm_decrypt_verify + chacha20poly1305_decrypt_verify don't verify the tag - SERIOUS SECURITY BUG! [...] Oldest version shipped in openSUSE:Backports:SLE-15-SP2 : 0.068 But as there are additional fixes and no backwards incompatible changes, we can also update all code streams to the latest upstream version. Objections?
This is an autogenerated message for OBS integration: This bug (1221528) was mentioned in https://build.opensuse.org/request/show/1168005 Factory / perl-CryptX
Submission to Factory (just adding the CVE reference): 1168005 Submission to openSUSE:Backports: 1168343 -> Closing here.
This is an autogenerated message for OBS integration: This bug (1221528) was mentioned in https://build.opensuse.org/request/show/1168343 Backports:SLE-15-SP5 / perl-CryptX
openSUSE-SU-2024:0112-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1221528 CVE References: CVE-2018-25099 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): perl-CryptX-0.80.0-bp155.2.3.1