495 matches found
nss bug fix and enhancement update
An update is available for nss. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Network Security Services NSS is a set of libraries designed to support the...
Fedora 40 : krb5 (2025-61b9344baf)
The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-61b9344baf advisory. - Prevent overflow when calculating ulog block size CVE-2025-24528 - Support PKCS11 EC client certs in PKINIT - kdb5util: fix DB entry flags on modification ...
Fedora 41 : krb5 (2025-3e5228ee23)
The remote Fedora 41 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-3e5228ee23 advisory. - Prevent overflow when calculating ulog block size CVE-2025-24528 - Support PKCS11 EC client certs in PKINIT - kdb5util: fix DB entry flags on modification ...
Astra Linux – Vulnerability in Linux 6.1
In the Linux kernel, the following vulnerability has been resolved: crypto: ecdh – explicitly zeroes privatekey. The privatekey is overwritten with the key parameter passed in by the caller if present, or alternatively with a newly generated private key. However, it is possible that the caller...
Public Key Validation
secp256k1 is vulnerable to public key validation issues. The vulnerability is due to an implementation oversight in the secp256k1-node library, where the loadCompressedPublicKey function fails to verify if the public key is on the secp256k1 curve, allowing the use of invalid public keys from...
secp256k1-node allows private key extraction over ECDH
Summary In elliptic-based version, loadUncompressedPublicKey has a check that the public key is on the curve: https://github.com/cryptocoinjs/secp256k1-node/blob/6d3474b81d073cc9c8cc8cfadb580c84f8df5248/lib/elliptic.jsL37-L39 loadCompressedPublicKey is, however, missing that check:...
CVE-2024-48930 secp256k1-node vulnerable to private key extraction over ECDH
secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. In elliptic-based version, loadUncompressedPublicKey has a check that the public key is on the curve. Prior to versions 5.0.1, 4.0.4, and 3.8.1, however, loadCompressedPublicKey is missing that...
CVE-2024-48930 secp256k1-node vulnerable to private key extraction over ECDH
secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. In elliptic-based version, loadUncompressedPublicKey has a check that the public key is on the curve. Prior to versions 5.0.1, 4.0.4, and 3.8.1, however, loadCompressedPublicKey is missing that...
SUSE CVE-2024-42098
In the Linux kernel, the following vulnerability has been resolved: crypto: ecdh - explicitly zeroize privatekey privatekey is overwritten with the key parameter passed in by the caller if present, or alternatively a newly generated private key. However, it is possible that the caller provides a...
CVE-2024-42098
A flaw was found in the Linux Kernel's Elliptic Curve Diffie-Hellman functionality, where the privatekey is overwritten. In some special cases and when error path happens, this issue could allow leakage of this private key...
CVE-2024-42098
In the Linux kernel, the following vulnerability has been resolved: crypto: ecdh - explicitly zeroize privatekey privatekey is overwritten with the key parameter passed in by the caller if present, or alternatively a newly generated private key. However, it is possible that the caller provides a...
DEBIAN-CVE-2024-42098
In the Linux kernel, the following vulnerability has been resolved: crypto: ecdh - explicitly zeroize privatekey privatekey is overwritten with the key parameter passed in by the caller if present, or alternatively a newly generated private key. However, it is possible that the caller provides a...
CVE-2024-42098
In the Linux kernel, the following vulnerability has been resolved: crypto: ecdh - explicitly zeroize privatekey privatekey is overwritten with the key parameter passed in by the caller if present, or alternatively a newly generated private key. However, it is possible that the caller provides a...
CVE-2024-42098
The CVE-2024-42098 entry concerns the Linux kernel crypto/ecdh logic, where private_key can remain partially overwritten when a caller-supplied or newly generated key is shorter than the previous one. The documented fix explicitly zeroizes the entire private_key array before writing new material,...
CVE-2024-42098 crypto: ecdh - explicitly zeroize private_key
In the Linux kernel, the following vulnerability has been resolved: crypto: ecdh - explicitly zeroize privatekey privatekey is overwritten with the key parameter passed in by the caller if present, or alternatively a newly generated private key. However, it is possible that the caller provides a...
CVE-2024-42098 crypto: ecdh - explicitly zeroize private_key
In the Linux kernel, the following vulnerability has been resolved: crypto: ecdh - explicitly zeroize privatekey privatekey is overwritten with the key parameter passed in by the caller if present, or alternatively a newly generated private key. However, it is possible that the caller provides a...
SUSE-RU-2024:2564-1 Recommended update for mozilla-nss
This update for mozilla-nss fixes the following issues: - Fixed startup crash of Firefox when using FIPS-mode bsc1223724. - Added 'Provides: nss' so other RPMs that require 'nss' can be installed jira PED-6358. - FIPS: added safe memsets bsc1222811 - FIPS: restrict AES-GCM bsc1222830 - FIPS:...
Advisory ROSA-SA-2024-2438
Software: opencryptoki 3.14.0 OS: ROSA Virtualization 2.1 packageevrstring: opencryptoki-3.14.0 CVE-ID: CVE-2021-3798 BDU-ID: CVE-Crit: MEDIUM. CVE-DESC.: The openCryptoki software token does not check if the EC key is valid when the EC key is created with CCreateObject and when CDeriveKey is use...
RHEL 8 : golang (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - golang: Command-line arguments may overwrite global data CVE-2021-38297 - In archive/zip in Go before...
Information Exposure Through Timing Discrepancy
Overview paragonie/ecc is an Elliptic Curve Cryptography library Affected versions of this package are vulnerable to Information Exposure Through Timing Discrepancy due to the use of the GMPMath adapter, which wraps the GNU Multiple Precision arithmetic library GMP not aiming to provide...