DebianDEBIAN:DSA-4389-1:1C92B[SECURITY] [DSA 4389-1] libu2f-host security update
4.6 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
6.8 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.3 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
56.7%
Debian Security Advisory DSA-4389-1 [email protected]
https://www.debian.org/security/ Sebastien Delafond
February 11, 2019 https://www.debian.org/security/faq
Package : libu2f-host
CVE ID : CVE-2018-20340
Debian Bug : 921725
Christian Reitter discovered that libu2f-host, a library implementing
the host-side of the U2F protocol, failed to properly check for a
buffer overflow. This would allow an attacker with a custom made
malicious USB device masquerading as a security key, and physical
access to a computer where PAM U2F or an application with libu2f-host
integrated, to potentially execute arbitrary code on that computer.
For the stable distribution (stretch), this problem has been fixed in
version 1.1.2-2+deb9u1.
We recommend that you upgrade your libu2f-host packages.
For the detailed security status of libu2f-host please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libu2f-host
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: [email protected]
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 9 | armel | libu2f-host0-dbgsym | < 1.1.2-2+deb9u1 | libu2f-host0-dbgsym_1.1.2-2+deb9u1_armel.deb |
| Debian | 9 | armel | libu2f-host-dev | < 1.1.2-2+deb9u1 | libu2f-host-dev_1.1.2-2+deb9u1_armel.deb |
| Debian | 9 | s390x | libu2f-host-dev | < 1.1.2-2+deb9u1 | libu2f-host-dev_1.1.2-2+deb9u1_s390x.deb |
| Debian | 9 | mips | libu2f-host0 | < 1.1.2-2+deb9u1 | libu2f-host0_1.1.2-2+deb9u1_mips.deb |
| Debian | 9 | arm64 | libu2f-host0-dbgsym | < 1.1.2-2+deb9u1 | libu2f-host0-dbgsym_1.1.2-2+deb9u1_arm64.deb |
| Debian | 9 | s390x | libu2f-host0 | < 1.1.2-2+deb9u1 | libu2f-host0_1.1.2-2+deb9u1_s390x.deb |
| Debian | 9 | mips64el | libu2f-host-dev | < 1.1.2-2+deb9u1 | libu2f-host-dev_1.1.2-2+deb9u1_mips64el.deb |
| Debian | 9 | mips | libu2f-host0-dbgsym | < 1.1.2-2+deb9u1 | libu2f-host0-dbgsym_1.1.2-2+deb9u1_mips.deb |
| Debian | 9 | s390x | u2f-host | < 1.1.2-2+deb9u1 | u2f-host_1.1.2-2+deb9u1_s390x.deb |
| Debian | 9 | i386 | libu2f-host0 | < 1.1.2-2+deb9u1 | libu2f-host0_1.1.2-2+deb9u1_i386.deb |
Related
4.6 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
6.8 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.3 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
56.7%