CVE text: "A flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API via the timed processing of valid PKCS#1 v1.5 Ciphertext. The highest threat from this vulnerability is to confidentiality." The CVE references https://gitlab.com/m2crypto/m2crypto/-/issues/285 but that gets called a duplicate of a private bug. So, it's unclear if this has been fixed, but no recent commits seem relevant.
This needs to be fixed upstream in openssl, it seems: https://github.com/openssl/openssl/issues/13421. (See: https://gitlab.com/m2crypto/m2crypto/-/issues/285#note_486806844).
Package list is empty or all packages have requested keywords.
From 0.39.0 release notes: +- Mitigate the Bleichenbacher timing attacks in the RSA + decryption API (CVE-2020-25657)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7bb1942539605a4b4194a60b007aec3ca57a9139 commit 7bb1942539605a4b4194a60b007aec3ca57a9139 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-07-05 01:23:08 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-07-05 01:23:38 +0000 dev-python/m2crypto: add 0.39.0 Bug: https://bugs.gentoo.org/765166 Signed-off-by: Sam James <sam@gentoo.org> dev-python/m2crypto/Manifest | 1 + dev-python/m2crypto/m2crypto-0.39.0.ebuild | 71 ++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+)
cleanup done.
GLSA vote: no.