SB2020020727 - Improper Certificate Validation in 6cord (Alpine package)
Published: February 7, 2020
Security Bulletin ID
SB2020020727
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper Certificate Validation (CVE-ID: CVE-2020-7919)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=733214445280ab1c9627ef9f6131859fa5f2a399
- https://git.alpinelinux.org/aports/commit/?id=e17e60defb78d6909cf8595594b434e23d2a5319
- https://git.alpinelinux.org/aports/commit/?id=ea04c3a72c5eb3a6fcacdfde5c14c29c3db670a2
- https://git.alpinelinux.org/aports/commit/?id=a3bdef0b8a07a73c0c80fa951bf2ff84910c1b3b
- https://git.alpinelinux.org/aports/commit/?id=573b7537c7e1ab2732007a1d026a913613ca2d03
- https://git.alpinelinux.org/aports/commit/?id=17caf1ca31bcf51f92d7f466d287824869ec3f25
- https://git.alpinelinux.org/aports/commit/?id=c64d2552678a7126d5e1d18ac54ea0ee126298d9
- https://git.alpinelinux.org/aports/commit/?id=c325c4cf49fc80b50d1eac10a708571fe54dd4a0
- https://git.alpinelinux.org/aports/commit/?id=3b2d519d19eed612aeaf0a62ee9003e23cbe7c2f