CVE-2020-25657

NameCVE-2020-25657
DescriptionA flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API via the timed processing of valid PKCS#1 v1.5 Ciphertext. The highest threat from this vulnerability is to confidentiality.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs975002

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
m2crypto (PTS)stretch0.24.0-1.1vulnerable
buster0.31.0-4+deb10u2vulnerable
bullseye, sid0.37.1-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
m2cryptosource(unstable)(unfixed)975002

Notes

[bullseye] - m2crypto <no-dsa> (Minor issue)
[buster] - m2crypto <no-dsa> (Minor issue)
[stretch] - m2crypto <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=1889823
https://gitlab.com/m2crypto/m2crypto/-/issues/285
https://gitlab.com/m2crypto/m2crypto/-/issues/282 (restricted)
Search for package or bug name: Reporting problems