EUVD-2023-28550

Malicious code in bioql PyPI...

crypto/internal/nistec: golang: Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec

A flaw was found in the Golang crypto/internal/nistec package. Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Considering how this function is used, this leaka...

Security Bulletin: Vulnerability in Go affects watsonx.data

Summary TheScalarMult and ScalarBaseMult methods of the P256 Curve in Golang Go have an unspecified error that returns an incorrect result which has an unknown impact and attack vector. watsonx.data may be affected by this. Vulnerability Details CVEID:CVE-2023-24532 DESCRIPTION: An unspecified...

BIT-GOLANG-2023-24532 Incorrect calculation on P256 curves in crypto/internal/nistec

The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars a scalar larger than the order of the curve. This does not impact usages of crypto/ecdsa or crypto/ecdh...

PT-2024-19822 · Pypi +1 · Ecdsa +1

Name of the Vulnerable Software and Affected Versions: ecdsa versions 0.18.0 and prior Description: The ecdsa PyPI package, a pure Python implementation of ECC Elliptic Curve Cryptography, is affected by a Minerva timing attack on the P-256 curve. This attack can leak the internal nonce when usin...

Amazon Linux AMI : golang (ALAS-2023-1848)

The version of golang installed on the remote host is prior to 1.20.8-1.47. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2023-1848 advisory. 2024-01-03: CVE-2023-24537 was added to this advisory. 2024-01-03: CVE-2023-29400 was added to this advisory. 2024-01-03...

Amazon Linux 2 : golang (ALASGOLANG1.19-2023-001)

The version of golang installed on the remote host is prior to 1.19.10-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2GOLANG1.19-2023-001 advisory. The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some...

Important: golang

Issue Overview: The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars a scalar larger than the order of the curve. This does not impact usages of crypto/ecdsa or crypto/ecdh. CVE-2023-24532 HTTP and MIME header...

Amazon Linux 2 : containerd (ALASNITRO-ENCLAVES-2023-026)

The version of containerd installed on the remote host is prior to 1.6.19-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2NITRO-ENCLAVES-2023-026 advisory. http2/hpack: avoid quadratic complexity in hpack decoding CVE-2022-41723 Large handshake records may caus...

Amazon Linux 2 : golang (ALAS-2023-2163)

The version of golang installed on the remote host is prior to 1.20.5-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-2163 advisory. RESERVEDNOTE: https://groups.google.com/g/golang-announce/c/V0aBFqaFsE CVE-2022-41724 Golang: net/http, mime/multipart:...

Important: golang

Issue Overview: RESERVED NOTE: https://groups.google.com/g/golang-announce/c/V0aBFqaFsE CVE-2022-41724 Golang: net/http, mime/multipart: denial of service from excessive resource consumption https://groups.google.com/g/golang-announce/c/V0aBFqaFsE CVE-2022-41725 The ScalarMult and ScalarBaseMult...

CVE-2023-24532

A flaw was found in the crypto/internal/nistec golang library. The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars, such as a scalar larger than the order of the curve. This does not impact usages of crypto/ecds...

golang: crypto/elliptic: panic caused by oversized scalar

An integer overflow flaw was found in Golang's crypto/elliptic library. This flaw allows an attacker to use a crafted scaler input longer than 32 bytes, causing P256.ScalarMult or P256.ScalarBaseMult to panic, leading to a loss of availability...

Security Bulletin: IBM App Connect Enterprise Certified Container operands and operator are vulnerable to [CVE-2023-24532]

Summary IBM App Connect Enterprise Certified Container operator and operands are vulnerable to an unspecified error due to an error in the ScalarMult and ScalarBaseMult methods of the P256 Curve in Golang Go. This bulletin provides patch information to address the reported vulnerability in Golang...

CentOS 8 : go-toolset:rhel8 (CESA-2023:3319)

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2023:3319 advisory. - The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars a scalar...

Security Bulletin: Multiple vulnerabilities in golang affect IBM Db2® REST

Summary IBM Db2® REST is affected by multiple vulnerabilities found in Golang Vulnerability Details CVEID:CVE-2022-41723 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a flaw in the HPACK decoder. By sending a specially-crafted HTTP/2 stream, a remote attacker could exploi...

Important: golang

Issue Overview: Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After fix, ReverseProxy...

Updated golang packages fix security vulnerability

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. CVE-2022-41723 Large handshake records may cause panics in crypto/tls. CVE-2022-41724 Denial of service from excessive...

MGASA-2023-0109 Updated golang packages fix security vulnerability

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. CVE-2022-41723 Large handshake records may cause panics in crypto/tls. CVE-2022-41724 Denial of service from excessive...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.19 (SUSE-SU-2023:0733-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0733-1 advisory. - A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the...