Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2013:247 | First vendor Publication | 2013-10-10 |
Vendor | Mandriva | Last vendor Modification | 2013-10-10 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 5.8 | Attack Range | Network |
Cvss Impact Score | 4.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Multiple vulnerabilities has been discovered and corrected in gnupg: GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey (CVE-2013-4351). Special crafted input data may be used to cause a denial of service against GPG. GPG can be forced to recursively parse certain parts of OpenPGP messages ad infinitum (CVE-2013-4402). The updated packages have been patched to correct this issue. |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2013:247 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-310 | Cryptographic Issues |
50 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:19160 | |||
Oval ID: | oval:org.mitre.oval:def:19160 | ||
Title: | USN-1987-1 -- gnupg, gnupg2 vulnerabilities | ||
Description: | Several security issues were fixed in GnuPG. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1987-1 CVE-2013-4351 CVE-2013-4402 | Version: | 5 |
Platform(s): | Ubuntu 13.04 Ubuntu 12.10 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | gnupg gnupg2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:19904 | |||
Oval ID: | oval:org.mitre.oval:def:19904 | ||
Title: | DSA-2773-1 gnupg - several | ||
Description: | Two vulnerabilities were discovered in GnuPG, the GNU privacy guard, a free PGP replacement. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2773-1 CVE-2013-4351 CVE-2013-4402 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | gnupg |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20090 | |||
Oval ID: | oval:org.mitre.oval:def:20090 | ||
Title: | DSA-2774-1 gnupg2 - several | ||
Description: | Two vulnerabilities were discovered in GnuPG 2, the GNU privacy guard, a free PGP replacement. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2774-1 CVE-2013-4351 CVE-2013-4402 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | gnupg2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20690 | |||
Oval ID: | oval:org.mitre.oval:def:20690 | ||
Title: | RHSA-2013:1459: gnupg2 security update (Moderate) | ||
Description: | The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:1459-00 CESA-2013:1459 CVE-2012-6085 CVE-2013-4351 CVE-2013-4402 | Version: | 45 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 CentOS Linux 5 CentOS Linux 6 | Product(s): | gnupg2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20833 | |||
Oval ID: | oval:org.mitre.oval:def:20833 | ||
Title: | RHSA-2013:1458: gnupg security update (Moderate) | ||
Description: | The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:1458-00 CESA-2013:1458 CVE-2012-6085 CVE-2013-4242 CVE-2013-4351 CVE-2013-4402 | Version: | 59 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | gnupg |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23451 | |||
Oval ID: | oval:org.mitre.oval:def:23451 | ||
Title: | ELSA-2013:1458: gnupg security update (Moderate) | ||
Description: | The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:1458-00 CVE-2012-6085 CVE-2013-4242 CVE-2013-4351 CVE-2013-4402 | Version: | 21 |
Platform(s): | Oracle Linux 5 | Product(s): | gnupg |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23470 | |||
Oval ID: | oval:org.mitre.oval:def:23470 | ||
Title: | DEPRECATED: ELSA-2013:1459: gnupg2 security update (Moderate) | ||
Description: | The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:1459-00 CVE-2012-6085 CVE-2013-4351 CVE-2013-4402 | Version: | 18 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | gnupg2 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23894 | |||
Oval ID: | oval:org.mitre.oval:def:23894 | ||
Title: | ELSA-2013:1459: gnupg2 security update (Moderate) | ||
Description: | The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:1459-00 CVE-2012-6085 CVE-2013-4351 CVE-2013-4402 | Version: | 17 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | gnupg2 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:25288 | |||
Oval ID: | oval:org.mitre.oval:def:25288 | ||
Title: | SUSE-SU-2013:1576-1 -- Security update for gpg2 | ||
Description: | This GnuPG update fixes two security issues: * CVE-2013-4351: GnuPG treated no-usage-permitted keys as all-usages-permitted. * CVE-2013-4402: An infinite recursion in the compressed packet parser was fixed. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:1576-1 CVE-2013-4351 CVE-2013-4402 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | gpg2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26955 | |||
Oval ID: | oval:org.mitre.oval:def:26955 | ||
Title: | DEPRECATED: ELSA-2013-1458 -- gnupg security update (moderate) | ||
Description: | [1.4.5-18] - fix CVE-2013-4351 gpg treats no-usage-permitted keys as all-usages-permitted [1.4.5-17] - fix CVE-2012-6085 GnuPG: read_block() corrupt key input validation - fix CVE-2013-4242 GnuPG susceptible to Yarom/Falkner side-channel attack - fix CVE-2013-4402 GnuPG: infinite recursion in the compressed packet parser [1.4.5-15] - fix error when decrypting certain files (#510500) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-1458 CVE-2013-4242 CVE-2012-6085 CVE-2013-4351 CVE-2013-4402 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | gnupg |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27428 | |||
Oval ID: | oval:org.mitre.oval:def:27428 | ||
Title: | DEPRECATED: ELSA-2013-1459 -- gnupg2 security update (moderate) | ||
Description: | [2.0.14-6] - fix CVE-2013-4351 gpg treats no-usage-permitted keys as all-usages-permitted [2.0.14-5] - fix CVE-2012-6085 GnuPG: read_block() corrupt key input validation - fix CVE-2013-4402 GnuPG: infinite recursion in the compressed packet parser | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-1459 CVE-2012-6085 CVE-2013-4351 CVE-2013-4402 | Version: | 4 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | gnupg2 |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-02-22 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL50413110.nasl - Type : ACT_GATHER_INFO |
2016-02-22 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL40131068.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_gnupg_20140731.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-736.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-716.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-758.nasl - Type : ACT_GATHER_INFO |
2014-02-23 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201402-24.nasl - Type : ACT_GATHER_INFO |
2013-11-14 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-237.nasl - Type : ACT_GATHER_INFO |
2013-11-14 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-236.nasl - Type : ACT_GATHER_INFO |
2013-11-13 | Name : The remote Fedora host is missing a security update. File : fedora_2013-18647.nasl - Type : ACT_GATHER_INFO |
2013-10-27 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-1459.nasl - Type : ACT_GATHER_INFO |
2013-10-27 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2013-1458.nasl - Type : ACT_GATHER_INFO |
2013-10-27 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2013-18814.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_gpg2-131008.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20131024_gnupg_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2013-1458.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-1459.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1458.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1459.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20131024_gnupg2_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-10-15 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2013-287-02.nasl - Type : ACT_GATHER_INFO |
2013-10-15 | Name : The remote Fedora host is missing a security update. File : fedora_2013-18866.nasl - Type : ACT_GATHER_INFO |
2013-10-15 | Name : The remote Fedora host is missing a security update. File : fedora_2013-18807.nasl - Type : ACT_GATHER_INFO |
2013-10-15 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2013-287-01.nasl - Type : ACT_GATHER_INFO |
2013-10-13 | Name : The remote Fedora host is missing a security update. File : fedora_2013-18676.nasl - Type : ACT_GATHER_INFO |
2013-10-11 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-247.nasl - Type : ACT_GATHER_INFO |
2013-10-11 | Name : The remote Fedora host is missing a security update. File : fedora_2013-18543.nasl - Type : ACT_GATHER_INFO |
2013-10-11 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2774.nasl - Type : ACT_GATHER_INFO |
2013-10-11 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2773.nasl - Type : ACT_GATHER_INFO |
2013-10-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1987-1.nasl - Type : ACT_GATHER_INFO |
2013-10-06 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_749b55872da111e3b1a9b499baab0cbe.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:44:04 |
|
2013-10-29 13:21:55 |
|
2013-10-10 21:26:15 |
|
2013-10-10 17:19:42 |
|