Covert Timing Channel Affecting python3-M2Crypto package, versions <0.38.0-150400.3.6.1
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-SLES154-PYTHON3M2CRYPTO-2976171
- published 6 Aug 2022
- disclosed 5 Aug 2022
Introduced: 5 Aug 2022
CVE-2020-25657 Open this link in a new tabHow to fix?
Upgrade SLES:15.4 python3-M2Crypto to version 0.38.0-150400.3.6.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream python3-M2Crypto package and not the python3-M2Crypto package as distributed by SLES.
See How to fix? for SLES:15.4 relevant fixed versions and status.
A flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API via the timed processing of valid PKCS#1 v1.5 Ciphertext. The highest threat from this vulnerability is to confidentiality.
References
- https://www.suse.com/security/cve/CVE-2020-25657.html
- https://lists.suse.com/pipermail/sle-security-updates/2022-August/011812.html
- https://www.suse.com/support/update/announcement/2022/suse-su-20222691-1/
- https://bugzilla.suse.com/1178829
- https://bugzilla.suse.com/1218044
- https://www.suse.com/security/cve/CVE-2020-25657/
- https://www.suse.com/support/security/rating/
- https://bugzilla.redhat.com/show_bug.cgi?id=1889823
- https://access.redhat.com/errata/RHSA-2021:1169
- https://access.redhat.com/security/cve/CVE-2020-25657