Bugzilla – Bug 1172389
VUL-0: CVE-2020-13757: python-rsa: ignoring leading '\0' bytes during decryption of ciphertext
Last modified: 2023-01-13 08:19:42 UTC
CVE-2020-13757 Python-RSA 4.0 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation). References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13757 https://github.com/sybrenstuvel/python-rsa/issues/146 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13757
Tracked SLE12, Cloud8,9 and SLE15 as affected. The fix can be found at [1] [1] https://github.com/sybrenstuvel/python-rsa/commit/3283b1284475cf6c79a7329aee8bd7443cc72672
The following packages are still affected: - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-rsa 3.4.2 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-rsa 3.4.2 - SUSE:SLE-12:Update/python-rsa 3.1.4 - SUSE:SLE-15:Update/python-rsa 3.4.2 Please apply the upstream patch [0]. [0] https://github.com/sybrenstuvel/python-rsa/commit/93af6f2f89a9bf28361e67716c4240e691520f30.patch
SUSE-SU-2021:2008-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1172389 CVE References: CVE-2020-13757 JIRA References: Sources used: SUSE Manager Server 4.0 (src): python-rsa-3.4.2-3.4.1 SUSE Manager Retail Branch Server 4.0 (src): python-rsa-3.4.2-3.4.1 SUSE Manager Proxy 4.0 (src): python-rsa-3.4.2-3.4.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): python-rsa-3.4.2-3.4.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): python-rsa-3.4.2-3.4.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): python-rsa-3.4.2-3.4.1 SUSE Linux Enterprise Module for Public Cloud 15 (src): python-rsa-3.4.2-3.4.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): python-rsa-3.4.2-3.4.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src): python-rsa-3.4.2-3.4.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): python-rsa-3.4.2-3.4.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): python-rsa-3.4.2-3.4.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): python-rsa-3.4.2-3.4.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): python-rsa-3.4.2-3.4.1 SUSE Enterprise Storage 6 (src): python-rsa-3.4.2-3.4.1 SUSE CaaS Platform 4.0 (src): python-rsa-3.4.2-3.4.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0901-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1172389 CVE References: CVE-2020-13757 JIRA References: Sources used: openSUSE Leap 15.2 (src): python-rsa-3.4.2-lp152.4.3.1
SUSE-SU-2021:2237-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1172389 CVE References: CVE-2020-13757 JIRA References: Sources used: SUSE OpenStack Cloud 7 (src): python-rsa-3.1.4-12.16.1 SUSE Linux Enterprise Module for Public Cloud 12 (src): python-rsa-3.1.4-12.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2253-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1172389 CVE References: CVE-2020-13757 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): python-rsa-3.4.2-4.4.1 SUSE OpenStack Cloud 9 (src): python-rsa-3.4.2-4.4.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:2008-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1172389 CVE References: CVE-2020-13757 JIRA References: Sources used: openSUSE Leap 15.3 (src): python-rsa-3.4.2-3.4.1
SUSE-SU-2022:3287-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1172389 CVE References: CVE-2020-13757 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 8 (src): python-rsa-3.4.2-3.3.1 SUSE OpenStack Cloud 8 (src): python-rsa-3.4.2-3.3.1 HPE Helion Openstack 8 (src): python-rsa-3.4.2-3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.