PT-2024-19822 · Pypi +1 · Ecdsa +1

Name of the Vulnerable Software and Affected Versions: ecdsa versions 0.18.0 and prior Description: The ecdsa PyPI package, a pure Python implementation of ECC Elliptic Curve Cryptography, is affected by a Minerva timing attack on the P-256 curve. This attack can leak the internal nonce when usin...

Amazon Linux AMI : golang (ALAS-2023-1848)

The version of golang installed on the remote host is prior to 1.20.8-1.47. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2023-1848 advisory. 2024-01-03: CVE-2023-24537 was added to this advisory. 2024-01-03: CVE-2023-29400 was added to this advisory. 2024-01-03...

Amazon Linux 2 : golang (ALASGOLANG1.19-2023-001)

The version of golang installed on the remote host is prior to 1.19.10-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2GOLANG1.19-2023-001 advisory. The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some...

Important: golang

Issue Overview: The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars a scalar larger than the order of the curve. This does not impact usages of crypto/ecdsa or crypto/ecdh. CVE-2023-24532 HTTP and MIME header...

Important: containerd

Issue Overview: http2/hpack: avoid quadratic complexity in hpack decoding CVE-2022-41723 Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct...

Amazon Linux 2 : containerd (ALASNITRO-ENCLAVES-2023-026)

The version of containerd installed on the remote host is prior to 1.6.19-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2NITRO-ENCLAVES-2023-026 advisory. http2/hpack: avoid quadratic complexity in hpack decoding CVE-2022-41723 Large handshake records may caus...

Important: containerd

Issue Overview: http2/hpack: avoid quadratic complexity in hpack decoding CVE-2022-41723 Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct...

Amazon Linux 2 : golang (ALAS-2023-2163)

The version of golang installed on the remote host is prior to 1.20.5-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-2163 advisory. RESERVEDNOTE: https://groups.google.com/g/golang-announce/c/V0aBFqaFsE CVE-2022-41724 Golang: net/http, mime/multipart:...

Important: golang

Issue Overview: RESERVED NOTE: https://groups.google.com/g/golang-announce/c/V0aBFqaFsE CVE-2022-41724 Golang: net/http, mime/multipart: denial of service from excessive resource consumption https://groups.google.com/g/golang-announce/c/V0aBFqaFsE CVE-2022-41725 The ScalarMult and ScalarBaseMult...

CVE-2023-24532

A flaw was found in the crypto/internal/nistec golang library. The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars, such as a scalar larger than the order of the curve. This does not impact usages of crypto/ecds...

golang: crypto/elliptic: panic caused by oversized scalar

An integer overflow flaw was found in Golang's crypto/elliptic library. This flaw allows an attacker to use a crafted scaler input longer than 32 bytes, causing P256.ScalarMult or P256.ScalarBaseMult to panic, leading to a loss of availability...

golang: crypto/elliptic: panic caused by oversized scalar

An integer overflow flaw was found in Golang's crypto/elliptic library. This flaw allows an attacker to use a crafted scaler input longer than 32 bytes, causing P256.ScalarMult or P256.ScalarBaseMult to panic, leading to a loss of availability...

Security Bulletin: IBM App Connect Enterprise Certified Container operands and operator are vulnerable to [CVE-2023-24532]

Summary IBM App Connect Enterprise Certified Container operator and operands are vulnerable to an unspecified error due to an error in the ScalarMult and ScalarBaseMult methods of the P256 Curve in Golang Go. This bulletin provides patch information to address the reported vulnerability in Golang...

golang: crypto/internal/nistec: specific unreduced P-256 scalars produce incorrect results

A flaw was found in the crypto/internal/nistec golang library. The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars, such as a scalar larger than the order of the curve. This does not impact usages of crypto/ecds...

CentOS 8 : go-toolset:rhel8 (CESA-2023:3319)

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2023:3319 advisory. - The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars a scalar...

Security Bulletin: Multiple vulnerabilities in golang affect IBM Db2® REST

Summary IBM Db2® REST is affected by multiple vulnerabilities found in Golang Vulnerability Details CVEID:CVE-2022-41723 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a flaw in the HPACK decoder. By sending a specially-crafted HTTP/2 stream, a remote attacker could exploi...

Important: golang

Issue Overview: Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After fix, ReverseProxy...

Updated golang packages fix security vulnerability

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. CVE-2022-41723 Large handshake records may cause panics in crypto/tls. CVE-2022-41724 Denial of service from excessive...

MGASA-2023-0109 Updated golang packages fix security vulnerability

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. CVE-2022-41723 Large handshake records may cause panics in crypto/tls. CVE-2022-41724 Denial of service from excessive...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.19 (SUSE-SU-2023:0733-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0733-1 advisory. - A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the...