Bugzilla – Bug 1185084
VUL-0: CVE-2021-21373: nim: "nimble refresh" falls back to a non-TLS URL in case of error
Last modified: 2022-09-12 14:32:57 UTC
rh#1951711 Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS by default. In case of error it falls back to a non-TLS URL http://irclogs.nim-lang.org/packages.json. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution. https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/ https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130 https://github.com/nim-lang/security/security/advisories/GHSA-8w52-r35x-rgp8 References: https://bugzilla.redhat.com/show_bug.cgi?id=1951711 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21373 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21373 https://github.com/nim-lang/security/security/advisories/GHSA-8w52-r35x-rgp8 https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130 https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
affects Factory and Leap
This is an autogenerated message for OBS integration: This bug (1185084) was mentioned in https://build.opensuse.org/request/show/887450 Factory / nim
This is an autogenerated message for OBS integration: This bug (1185084) was mentioned in https://build.opensuse.org/request/show/887465 15.2 / nim
openSUSE-SU-2021:0618-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1185083,1185084,1185085 CVE References: CVE-2021-21372,CVE-2021-21373,CVE-2021-21374 JIRA References: Sources used: openSUSE Leap 15.2 (src): nim-1.2.12-lp152.2.3.1
openSUSE-SU-2021:0628-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1185083,1185084,1185085 CVE References: CVE-2021-21372,CVE-2021-21373,CVE-2021-21374 JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): nim-1.2.12-bp152.4.3.1
Codestream Vers. Request ---------------------------------------------------------------------- Leap:15.1:Update 0.19.6 EOL [4] Leap:15.2:Update 1.2.12 EOL [4] Backports:SLE-15:Update 0.19.6 EOL [4] Backports:SLE-15-SP1:Update 0.19.6 EOL [4] Backports:SLE-15-SP2:Update 1.2.12 EOL [4] Backports:SLE-15-SP3:Update 0.19.6 -> 1.6.6 [1] Backports:SLE-15-SP4:Update 1.2.12 -> 1.6.6 [1] Factory 1.6.6 [3] (already there, make the CVE explicitly in changelog) [1] https://build.opensuse.org/request/show/994306 [2] https://build.opensuse.org/request/show/994305 [3] https://build.opensuse.org/request/show/994303 [4] We are still building up-to-date packages for all Leap and SLE >= 15 in the development project: * https://build.opensuse.org/package/show/devel:languages:misc/nim
openSUSE-SU-2022:10095-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 1175332,1175333,1175334,1181705,1185083,1185084,1185085,1185948,1192712 CVE References: CVE-2020-15690,CVE-2020-15692,CVE-2020-15693,CVE-2020-15694,CVE-2021-21372,CVE-2021-21373,CVE-2021-21374,CVE-2021-29495,CVE-2021-41259 JIRA References: Sources used: openSUSE Backports SLE-15-SP3 (src): nim-1.6.6-bp153.2.3.1
openSUSE-SU-2022:10101-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 1175332,1175333,1175334,1181705,1185083,1185084,1185085,1185948,1192712 CVE References: CVE-2020-15690,CVE-2020-15692,CVE-2020-15693,CVE-2020-15694,CVE-2021-21372,CVE-2021-21373,CVE-2021-21374,CVE-2021-29495,CVE-2021-41259 JIRA References: Sources used: openSUSE Backports SLE-15-SP4 (src): nim-1.6.6-bp154.2.3.1
All done. Assigning back to security.