Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 2 articles for you...
198
security advisoryprivate keymedium severityArch Linux ASA-202106-26 Medium: Python-Websockets Private Key Leak
The package python-websockets before version 9.1-1 is vulnerable to private key recovery. . Arch Linux Security Advisory ASA-202106-26 ========================================= Severity: Medium Date : 2021-06-09 CVE-ID : CVE-2021-33880 Package : python-websockets Type : private key recovery Remote : Yes Link : https://security.archlinux.org/AVG-2040 Summary ====== The package python-websockets before version 9.1-1 is vulnerable to private key recovery. Resolution ========= Upgrade to 9.1-1. # pacman -Syu "python-websockets> =9.1-1" The problem has been fixed upstream in version 9.1. Workaround ========= None. Description ========== The aaugustin websockets library before 9.1 for Python has an observable timing discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack. Impact ===== A remote attacker could guess HTTP Basic Authentication passwords using a timing attack. References ========= https://github.com/python-websockets/websockets/commit/547a26b685d08cac0aa64e5e65f7867ac0ea9bc0 https://security.archlinux.org/CVE-2021-33880 . The Arch Linux Security Advisory ASA-202106-27 informs users about a moderate severity vulnerability in python-httpx that may lead to information disclosure.. Arch Linux, Python Websockets, Security Advisory, Private Key Recovery, Medium Severity Issue. . Severity: Medium. LinuxSecurity.com Team
Jun 11, 2021
•Medium
ArchLinux
202
security advisorymoderateprivate keyopenSUSE Leap 15.2: openSUSE-SU-2021:0384-1 Moderate: mbedtls Side Channel
An update that fixes one vulnerability is now available. . openSUSE Security Update: Security update for mbedtls ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:0384-1 Rating: moderate References: #1181468 Cross-References: CVE-2020-10932 CVSS scores: CVE-2020-10932 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for mbedtls fixes the following issues: - mbedtls was updated to version 2.16.9 - CVE-2020-10932: Fixed side channel in ECC code that allowed an adversary with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) to fully recover an ECDSA private key (boo#1181468). Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-384=1 Package List: - openSUSE Leap 15.2 (i586 x86_64): libmbedcrypto3-2.16.9-lp152.2.3.1 libmbedcrypto3-debuginfo-2.16.9-lp152.2.3.1 libmbedtls12-2.16.9-lp152.2.3.1 libmbedtls12-debuginfo-2.16.9-lp152.2.3.1 libmbedx509-0-2.16.9-lp152.2.3.1 libmbedx509-0-debuginfo-2.16.9-lp152.2.3.1 mbedtls-debugsource-2.16.9-lp152.2.3.1 mbedtls-devel-2.16.9-lp152.2.3.1 - openSUSE Leap 15.2 (x86_64): libmbedcrypto3-32bit-2.16.9-lp152.2.3.1 libmbedcrypto3-32bit-debuginfo-2.16.9-lp152.2.3.1 libmbedtls12-32bit-2.16.9-lp152.2.3.1 libmbedtls12-32bit-debuginfo-2.16.9-lp152.2.3.1 libmbedx509-0-32bit-2.16.9-lp152.2.3.1 libmbedx509-0-32bit-debuginfo-2.16.9-lp152.2.3.1 References: https://www.suse.com/security/cve/CVE-2020-10932.html https://bugzilla.suse.com/1181468 . A recent openSUSE Security Patch resolves a significant vulnerability in mbedtls that affects the integrity of private keys.. OpenSUSE Security,Mbedtls Update,Software Fixes,ECC Issue. . LinuxSecurity.com Team
Mar 05, 2021
OpenSUSE
198
security advisoryprivate keymedium severityArch Linux: ASA-202007-5 Medium: Mbedtls Private Key Recovery
The package mbedtls before version 2.16.7-1 is vulnerable to private key recovery. . Arch Linux Security Advisory ASA-202007-5 ======================================== Severity: Medium Date : 2020-07-31 CVE-ID : CVE-2020-10932 Package : mbedtls Type : private key recovery Remote : No Link : https://security.archlinux.org/AVG-1141 Summary ====== The package mbedtls before version 2.16.7-1 is vulnerable to private key recovery. Resolution ========= Upgrade to 2.16.7-1. # pacman -Syu "mbedtls> =2.16.7-1" The problem has been fixed upstream in version 2.16.7. Workaround ========= None. Description ========== A side channel attack has been found on the ECDSA implementation of Mbed TLS before 2.22.0, 2.16.6 and 2.7.15, allowing a local attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) to fully recover an ECDSA private key after observing a number of signature operations. Impact ===== A remote attacker is able to recover an ECDSA private key. References ========= https://security.archlinux.org/CVE-2020-10932 . Arch Linux advisory ASA-202108-4 outlines a moderate vulnerability in the private key management of mbedtls. It is advisable to update promptly to maintain system security.. Arch Linux, mbedtls, private key recovery. . Severity: Medium. LinuxSecurity.com Team
Jul 31, 2020
•Medium
ArchLinux
198
security advisoryhigh severityprivate keyArch Linux: 202003-7 Advisory High: mbedtls Private Key Recovery
The package mbedtls before version 2.16.5-1 is vulnerable to private key recovery. . Arch Linux Security Advisory ASA-202003-7 ======================================== Severity: High Date : 2020-03-11 CVE-ID : CVE-2019-18222 Package : mbedtls Type : private key recovery Remote : No Link : https://security.archlinux.org/AVG-1104 Summary ====== The package mbedtls before version 2.16.5-1 is vulnerable to private key recovery. Resolution ========= Upgrade to 2.16.5-1. # pacman -Syu "mbedtls> =2.16.5-1" The problem has been fixed upstream in version 2.16.5. Workaround ========= None. Description ========== The ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto before 3.0.1 and Mbed TLS before 2.20.0, 2.16.4 or 2.7.13 does not reduce the blinded scalar before computing the inverse, which allows a local attacker to recover the private key via side-channel attacks. Impact ===== A local attacker can recover an ECDSA private key via side-channel attacks. References ========= https://security.archlinux.org/CVE-2019-18222 . Gentoo Linux Security Notice for mbedtls exposing high-risk private key extraction; immediate update advised.. mbedtls, private key, Arch Linux security, side-channel attack. . LinuxSecurity.com Team
Mar 12, 2020
ArchLinux
198
security advisoryremote exploitprivate keyArch Linux: 201901-10 Medium: Go-Pie Private Key Recovery
The package go-pie before version 2:1.11.5-1 is vulnerable to private key recovery. . Arch Linux Security Advisory ASA-201901-10 ========================================= Severity: Medium Date : 2019-01-24 CVE-ID : CVE-2019-6486 Package : go-pie Type : private key recovery Remote : Yes Link : https://security.archlinux.org/AVG-859 Summary ====== The package go-pie before version 2:1.11.5-1 is vulnerable to private key recovery. Resolution ========= Upgrade to 2:1.11.5-1. # pacman -Syu "go-pie> =2:1.11.5-1" The problem has been fixed upstream in version 1.11.5. Workaround ========= None. Description ========== Go before versions 1.10.8 and 1.11.5 has a vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves. A remote attacker can exploit this by crafting inputs that consume excessive amounts of CPU. These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery. Impact ===== A remote attacker can crash the system with maliciously crafted input, or recover the private key. References ========= https://groups.google.com/forum/m/#!topic/golang-announce/mVeX35iXuSw https://github.com/golang/go/issues/29903 https://github.com/golang/go/commit/42b42f71 https://security.archlinux.org/CVE-2019-6486 . Arch Linux Security Notice ASA-202201-15 regarding go-pie flaw associated with compromised key retrieval of medium risk.. private key recovery, go-pie update, Arch Linux advisory. . Severity: Medium. LinuxSecurity.com Team
Jan 28, 2019
•Medium
ArchLinux
198
security advisoryprivate keyremote attackArch Linux: ASA-201901-11 Medium: Go Private Key Recovery
The package go before version 2:1.11.5-1 is vulnerable to private key recovery. . Arch Linux Security Advisory ASA-201901-11 ========================================= Severity: Medium Date : 2019-01-24 CVE-ID : CVE-2019-6486 Package : go Type : private key recovery Remote : Yes Link : https://security.archlinux.org/AVG-859 Summary ====== The package go before version 2:1.11.5-1 is vulnerable to private key recovery. Resolution ========= Upgrade to 2:1.11.5-1. # pacman -Syu "go> =2:1.11.5-1" The problem has been fixed upstream in version 1.11.5. Workaround ========= None. Description ========== Go before versions 1.10.8 and 1.11.5 has a vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves. A remote attacker can exploit this by crafting inputs that consume excessive amounts of CPU. These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery. Impact ===== A remote attacker can crash the system with maliciously crafted input, or recover the private key. References ========= https://groups.google.com/forum/m/#!topic/golang-announce/mVeX35iXuSw https://github.com/golang/go/issues/29903 https://github.com/golang/go/commit/42b42f71 https://security.archlinux.org/CVE-2019-6486 . Upgrade the Go package on Arch Linux urgently to address CVE-2019-6486. This high-severity vulnerability risks private key exposure for users.. Arch Linux, Security Advisory, Go Package, Private Key Recovery. . Severity: Medium. LinuxSecurity.com Team
Jan 27, 2019
•Medium
ArchLinux
198
security advisoryprivate keyremote accessArch Linux 201804-6 Medium: lib32-openssl Key Recovery Risk
The package lib32-openssl before version 1:1.1.0.h-1 is vulnerable to private key recovery. . Arch Linux Security Advisory ASA-201804-6 ======================================== Severity: Medium Date : 2018-04-15 CVE-ID : CVE-2017-3738 Package : lib32-openssl Type : private key recovery Remote : Yes Link : https://security.archlinux.org/AVG-551 Summary ====== The package lib32-openssl before version 1:1.1.0.h-1 is vulnerable to private key recovery. Resolution ========= Upgrade to 1:1.1.0.h-1. # pacman -Syu "lib32-openssl> =1:1.1.0.h-1" The problem has been fixed upstream in version 1.1.0.h. Workaround ========= None. Description ========== There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. Impact ===== A remote attacker might be able to recover a private key (in very unlikely cases). References ========= https://openssl-library.org/news/vulnerabilities/index.html https://openssl-library.org/news/secadv/20171207.txt https://github.com/openssl/openssl/commit/5630661aecbea5fe3c4740f5fea744a1f07a6253 https://security.archlinux.org/CVE-2017-3738 . The Arch Linux Advisory ASA-202209-7 outlines a notable vulnerability found in lib32-openssl, which raises concerns surrounding the potential compromise of private key retrieval.. lib32-openssl, Arch Linux, private key recovery. . Severity: Medium.LinuxSecurity.com Team
Apr 15, 2018
•Medium
ArchLinux
91
security advisoryGentoosecurity issueGentoo: GLSA-201408-03 Low: LibSSH Information Disclosure Risk
A vulnerability in LibSSH can result in leakage of private key information.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201408-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: LibSSH: Information disclosure Date: August 10, 2014 Bugs: #503504 ID: 201408-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= A vulnerability in LibSSH can result in leakage of private key information. Background ========= LibSSH is a C library providing SSHv2 and SSHv1. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-libs/libssh < 0.6.3 > = 0.6.3 Description ========== A new connection inherits the state of the PRNG without re-seeding with random data. Impact ===== Servers using ECC (ECDSA) or DSA certificates in non-deterministic mode may under certain conditions leak their private key. Workaround ========= There is no known workaround at this time. Resolution ========= All LibSSH users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =net-libs/libssh-0.6.3" References ========= [ 1 ] CVE-2014-0017 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0017 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201408-03 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concernsshould be addressed to
Aug 10, 2014
•Low
Gentoo
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!