Bug 1185085 - (CVE-2021-21374) VUL-0: CVE-2021-21374: nim: Improper verification of the SSL/TLS certificate
(CVE-2021-21374)
VUL-0: CVE-2021-21374: nim: Improper verification of the SSL/TLS certificate
Status: IN_PROGRESS
: 1181849 (view as bug list)
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.3
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/280576/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-04-21 11:29 UTC by Robert Frohl
Modified: 2022-09-14 16:55 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-04-21 11:29:26 UTC
rh#1951717

Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution.

https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
https://github.com/nim-lang/Nim/pull/16940
https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130
https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxx

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1951717
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21374
https://github.com/nim-lang/Nim/pull/16940
https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130
https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxx
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21374
https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
Comment 1 Robert Frohl 2021-04-21 11:30:01 UTC
affects Factory and Leap
Comment 2 OBSbugzilla Bot 2021-04-22 07:00:21 UTC
This is an autogenerated message for OBS integration:
This bug (1185085) was mentioned in
https://build.opensuse.org/request/show/887450 Factory / nim
Comment 3 OBSbugzilla Bot 2021-04-22 07:50:06 UTC
This is an autogenerated message for OBS integration:
This bug (1185085) was mentioned in
https://build.opensuse.org/request/show/887465 15.2 / nim
Comment 4 Swamp Workflow Management 2021-04-25 22:21:05 UTC
openSUSE-SU-2021:0618-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1185083,1185084,1185085
CVE References: CVE-2021-21372,CVE-2021-21373,CVE-2021-21374
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nim-1.2.12-lp152.2.3.1
Comment 5 Swamp Workflow Management 2021-04-29 19:19:28 UTC
openSUSE-SU-2021:0628-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1185083,1185084,1185085
CVE References: CVE-2021-21372,CVE-2021-21373,CVE-2021-21374
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    nim-1.2.12-bp152.4.3.1
Comment 6 David Anes 2022-08-10 11:14:58 UTC
Codestream                  Vers.           Request
----------------------------------------------------------------------
Leap:15.1:Update            0.19.6 EOL [4]
Leap:15.2:Update            1.2.12 EOL [4]
Backports:SLE-15:Update     0.19.6 EOL [4]
Backports:SLE-15-SP1:Update 0.19.6 EOL [4]
Backports:SLE-15-SP2:Update 1.2.12 EOL [4]
Backports:SLE-15-SP3:Update 0.19.6 -> 1.6.6 [1]
Backports:SLE-15-SP4:Update 1.2.12 -> 1.6.6 [1]
Factory                     1.6.6 [3] (already there, make the CVE explicitly in changelog)

[1] https://build.opensuse.org/request/show/994306
[2] https://build.opensuse.org/request/show/994305
[3] https://build.opensuse.org/request/show/994303
[4] We are still building up-to-date packages for all Leap and SLE >= 15
in the development project:
* https://build.opensuse.org/package/show/devel:languages:misc/nim
Comment 7 Swamp Workflow Management 2022-08-24 07:16:36 UTC
openSUSE-SU-2022:10095-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1175332,1175333,1175334,1181705,1185083,1185084,1185085,1185948,1192712
CVE References: CVE-2020-15690,CVE-2020-15692,CVE-2020-15693,CVE-2020-15694,CVE-2021-21372,CVE-2021-21373,CVE-2021-21374,CVE-2021-29495,CVE-2021-41259
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    nim-1.6.6-bp153.2.3.1
Comment 8 Swamp Workflow Management 2022-08-27 16:16:25 UTC
openSUSE-SU-2022:10101-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1175332,1175333,1175334,1181705,1185083,1185084,1185085,1185948,1192712
CVE References: CVE-2020-15690,CVE-2020-15692,CVE-2020-15693,CVE-2020-15694,CVE-2021-21372,CVE-2021-21373,CVE-2021-21374,CVE-2021-29495,CVE-2021-41259
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    nim-1.6.6-bp154.2.3.1
Comment 9 David Anes 2022-09-12 14:31:50 UTC
All done. Assigning back to security.
Comment 10 David Anes 2022-09-14 16:55:24 UTC
*** Bug 1181849 has been marked as a duplicate of this bug. ***