CVE-2013-1623

NameCVE-2013-1623
DescriptionThe TLS and DTLS implementations in wolfSSL CyaSSL before 2.5.0 do not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-2780-1
NVD severitymedium (attack range: remote)
Debian Bugs699886
Debian/oldoldstablenot vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cyassl (PTS)sid2.9.4+dfsg-3fixed
mysql-5.1 (PTS)squeeze, squeeze (security)5.1.73-1fixed
squeeze (lts)5.1.73-1+deb6u1fixed
mysql-5.5 (PTS)wheezy5.5.40-0+wheezy1fixed
wheezy (security)5.5.43-0+deb7u1fixed
stretch, sid, jessie5.5.42-1fixed
jessie (security)5.5.43-0+deb8u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cyasslsource(unstable)(not affected)
mysql-5.1source(unstable)(unfixed)medium
mysql-5.1sourcesqueeze5.1.72-2mediumDSA-2780-1
mysql-5.5source(unstable)5.5.30+dfsg-1.1medium699886

Notes

- cyassl <not-affected> (Fixed before initial upload to archive)
cyassl: fixed upstream in 2.5.0

Search for package or bug name: Reporting problems