CVE-2020-25657

NameCVE-2020-25657
DescriptionA flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API via the timed processing of valid PKCS#1 v1.5 Ciphertext. The highest threat from this vulnerability is to confidentiality.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs975002

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
m2crypto (PTS)bullseye0.37.1-2vulnerable
bookworm0.38.0-4fixed
sid, trixie0.42.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
m2cryptosource(unstable)0.38.0-4975002

Notes

[bullseye] - m2crypto <no-dsa> (Minor issue)
[buster] - m2crypto <no-dsa> (Minor issue)
[stretch] - m2crypto <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=1889823
https://gitlab.com/m2crypto/m2crypto/-/issues/285
https://gitlab.com/m2crypto/m2crypto/-/issues/282 (restricted)
https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958def0f510e92119fca14d74f94215827a

Search for package or bug name: Reporting problems