StarlingX

[Debian] CVE: CVE-2022-47629/CVE-2022-3515: libksba : integer overflow vulnerability.

Bug #2002277 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Critical
Zhixiong Chi

Bug Description

CVE-2022-47629: https://nvd.nist.gov/vuln/detail/CVE-2022-47629

CVE-2022-3515: https://nvd.nist.gov/vuln/detail/CVE-2022-3515

Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser.

Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2022-47629 fixed 9.8 N L N N H

CVE-2022-3515 fixed 9.8 N L N N H

References:

https://security-tracker.debian.org/tracker/CVE-2022-47629

https://security-tracker.debian.org/tracker/CVE-2022-3515

['libksba8_1.5.0-3_amd64.deb===>libksba8_1.5.0-3+deb11u2_amd64.deb']

Found during December 2022 CVE scan using vulscan

See original description

CVE References

Yue Tao (wrytao)
information type: Public → Public Security
Changed in starlingx:
importance: Undecided → Critical
status: New → Triaged
assignee: nobody → Zhixiong Chi (zhixiongchi)
tags: added: stx.8.0 stx.security
Zhixiong Chi (zhixiongchi)
Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/869890

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/869890
Committed: https://opendev.org/starlingx/tools/commit/b7351e6a70ed120b98b8a658d02db63207f61841
Submitter: "Zuul (22348)"
Branch: master

commit b7351e6a70ed120b98b8a658d02db63207f61841
Author: Zhixiong Chi <email address hidden>
Date: Sun Jan 8 23:58:23 2023 -0800

    Debian: libksba: CVE-2022-47629

    Upgrade libksba to 1.5.0-3+deb11u2 to fix CVE-2022-47629.
    libksba8_1.5.0-3+deb11u2

    Refer to:
    https://security-tracker.debian.org/tracker/DSA-5305-1

    TestPlan:
    PASS: build-pkgs -a -c
    PASS: build-image
    PASS: Jenkins Installation.

    Closes-Bug: 2002277

    Signed-off-by: Zhixiong Chi <email address hidden>
    Change-Id: I7830f4b0e700dbbe2cb84520a4228353d7e7c3da

Changed in starlingx:
status: In Progress → Fix Released
Yue Tao (wrytao)
summary: - [Debian] CVE: CVE-2022-47629: libksba : integer overflow vulnerability.
+ [Debian] CVE: CVE-2022-47629/CVE-2022-3515: libksba : integer overflow
+ vulnerability.
description: updated
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.