SUSE update for python-M2Crypto



Published: 2022-08-06
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-25657
CWE-ID CWE-208
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
SUSE Manager Retail Branch Server
Operating systems & Components / Operating system

SUSE Manager Server
Operating systems & Components / Operating system

SUSE Manager Proxy
Operating systems & Components / Operating system

SUSE Linux Enterprise Module for Basesystem
Operating systems & Components / Operating system

SUSE Linux Enterprise Desktop
Operating systems & Components / Operating system

SUSE Linux Enterprise Server
Operating systems & Components / Operating system

openSUSE Leap
Operating systems & Components / Operating system

SUSE Linux Enterprise Server for SAP Applications
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing
Operating systems & Components / Operating system

python-M2Crypto-doc
Operating systems & Components / Operating system package or component

python3-M2Crypto-debuginfo
Operating systems & Components / Operating system package or component

python3-M2Crypto
Operating systems & Components / Operating system package or component

python-M2Crypto-debugsource
Operating systems & Components / Operating system package or component

Vendor SuSE

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Information Exposure Through Timing Discrepancy

EUVDB-ID: #VU65771

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-25657

CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to possibility of the Bleichenbacher timing attack in the RSA decryption API via the timed processing of valid PKCS#1 v1.5 Ciphertext. A remote attacker can gain access to sensitive information.

Mitigation

Update the affected package python-M2Crypto to the latest version.

Vulnerable software versions

SUSE Manager Retail Branch Server: 4.3

SUSE Manager Server: 4.3

SUSE Manager Proxy: 4.3

SUSE Linux Enterprise Module for Basesystem: 15-SP4

SUSE Linux Enterprise Desktop: 15-SP4

SUSE Linux Enterprise Server: 15-SP4

openSUSE Leap: 15.4

SUSE Linux Enterprise Server for SAP Applications: 15-SP4

SUSE Linux Enterprise High Performance Computing: 15-SP4

python-M2Crypto-doc: before 0.38.0-150400.3.6.1

python3-M2Crypto-debuginfo: before 0.38.0-150400.3.6.1

python3-M2Crypto: before 0.38.0-150400.3.6.1

python-M2Crypto-debugsource: before 0.38.0-150400.3.6.1


CPE2.3 External links

http://www.suse.com/support/update/announcement/2022/suse-su-20222691-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###