CVE-2019-5152

NameCVE-2019-5152
DescriptionAn exploitable information disclosure vulnerability exists in the network packet handling functionality of Shadowsocks-libev 3.3.2. When utilizing a Stream Cipher, a specially crafted set of network packets can cause an outbound connection from the server, resulting in information disclosure. An attacker can send arbitrary packets to trigger this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
shadowsocks-libev (PTS)stretch (security), stretch2.6.3+ds-3+deb9u1vulnerable
buster3.2.5+ds-1vulnerable
bullseye, sid3.3.4+ds-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
shadowsocks-libevsource(unstable)(unfixed)unimportant

Notes

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0942
https://github.com/shadowsocks/shadowsocks-libev/issues/2525
Upstream has no plan to remove stream ciphers as per
https://github.com/shadowsocks/shadowsocks-libev/issues/2525#issuecomment-557551274
Documented insecure use case provided for backwards compatibility.

Search for package or bug name: Reporting problems