CLSA-2025-1762538558 containernetworking-plugins: Fix of 13 CVEs

rebuild with newer golang to fix multiple security vulnerabilities: - CVE-2023-24534: fix HTTP/2 rapid reset attack leading to denial of service - CVE-2023-29400: fix HTTP/2 frame processing panic leading to denial of service - CVE-2022-41725: fix HTTP/2 server connection handling causing...

Before Go 1.20, the RSA based key exchange methods in crypto/tls may exhibit a timing side channel

...

golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges.

A flaw was found in the Golang crypto/tls standard library. In previous versions, the package was vulnerable to a Timing Side Channel attack by observing the time it took for RSA-based TLS key exchanges, which was not constant. This flaw allows a malicious user to gather information from the...

RHEL 9 : podman (RHSA-2024:2193)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:2193 advisory. The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use contain...

Timing Attack

github.com/golang/go is vulnerable to a Timing Attack. A timing-based side-channel vulnerability allows an attacker to potentially recover session key bits from RSA-based TLS key exchanges by observing the timing discrepancy between processing different inputs. While successful exploitation...

CVE-2023-45287

A flaw was found in the Golang crypto/tls standard library. In previous versions, the package was vulnerable to a Timing Side Channel attack by observing the time it took for RSA-based TLS key exchanges, which was not constant. This flaw allows a malicious user to gather information from the...

EulerOS 2.0 SP9 : golang (EulerOS-SA-2021-2685)

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value...

CVE-2021-34558

The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic...

Cisco IOS Software SSH Version 2 RSA-Based User Authentication Bypass Vulnerability (cisco-sa-20150923-sshpk)

A vulnerability in the SSH version 2 SSHv2 protocol implementation of Cisco IOS Software could allow an unauthenticated, remote attacker to bypass user authentication. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright ...

SSLv2 DROWN Attack

Network traffic encrypted using an RSA-based SSL certificate may be decrypted if enough SSLv2 handshake data can be collected. Exploitation of this vulnerability—referred to as DROWN in public reporting—may allow a remote attacker to decrypt individual messages from a server supporting SSLv2...

Network traffic encrypted using RSA-based SSL certificates over SSLv2 may be decrypted by the DROWN attack

Overview Network traffic encrypted using an RSA-based SSL certificate may be decrypted if enough SSLv2 handshake data can be collected. This is known as the "DROWN" attack in the media. Description According to the researcher, "DROWN" is a new form of cross-protocol Bleichenbacher padding oracle...

Cisco IOS XE SSHv2 RSA-Based User Authentication Bypass (CSCus73013)

The remote Cisco IOS XE device is missing a vendor-supplied security patch, and is configured for SSHv2 RSA-based user authentication. It is, therefore, affected by a flaw in the SSHv2 protocol implementation of the public key authentication method. An unauthenticated, remote attacker can exploit...

Cisco IOS SSHv2 RSA-Based User Authentication Bypass (CSCus73013)

The remote Cisco IOS device is missing a vendor-supplied security patch, and is configured for SSHv2 RSA-based user authentication. It is, therefore, affected by a flaw in the SSHv2 protocol implementation of the public key authentication method. An unauthenticated, remote attacker can exploit...

Cisco IOS and IOS XE Software SSH Version 2 RSA-Based User Authentication Bypass Vulnerability

A vulnerability in the SSH version 2 SSHv2 protocol implementation of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to bypass user authentication. Successful exploitation could allow the attacker to log in with the privileges of the user or the privileges configure...

Debian DSA-2483-1 : strongswan - authentication bypass

An authentication bypass issue was discovered by the Codenomicon CROSS project in strongSwan, an IPsec-based VPN solution. When using RSA-based setups, a missing check in the gmp plugin could allow an attacker presenting a forged signature to successfully authenticate against a strongSwan...

[SECURITY] [DSA 2483-1] strongswan security update

------------------------------------------------------------------------- Debian Security Advisory DSA-2483-1 [email protected] http://www.debian.org/security/ Yves-Alexis Perez May 31, 2012 http://www.debian.org/security/faq -...

DSA-2483-1 strongswan - authentication bypass

Bulletin has no description...