CVE tracking
Hi,
I received an email towards CVE-2018-1000159 (on tlslite-ng) and was about filing a bug
report against Debian BTS, but can't this CVE referenced neither in the NIST database nor in
the lists provided at MITRE.
However it appears the CVE have been assigned:
<cut>
{ "CVE_data_meta": { "ASSIGNER": "kurt@seifried.org",
"DATE_ASSIGNED": "2018-04-06T14:09:26.582381", "DATE_REQUESTED":
"2018-03-27T07:54:48", "ID": "CVE-2018-1000159", "REQUESTER":
"hkario@redhat.com" }, "affects": { "vendor": {
"vendor_data": [ { "product": {
"product_data": [ {
"product_name": "tlslite-ng", "version": {
"version_data": [ {
"version_value": "0.7.3 and earlier, since commit
d7b288316bca7bcdd082e6ccff5491e241305233"
} ] }
} ] }, "vend
or_name": "tlslite-ng" } ] } },
"data_format": "MITRE", "data_type": "CVE", "data_version": "4.0",
"description": { "description_data": [ {
"lang": "eng", "value": "tlslite-ng version 0.7.3 and earlier,
since commit d7b288316bca7bcdd082e6ccff5491e241305233 contains a CWE-354:
Improper Validation of Integrity Check Value vulnerability in TLS
implementation, tlslite/utils/constanttime.py: ct_check_cbc_mac_and_pad();
line \"end_pos = data_len - 1 - mac.digest_size\" that can result in Attacker
can manipulate the TLS ciphertext and it won't be detected by receiving
tlslite-ng. This attack appear to be exploitable via man in the middle on a
network connection. This vulnerability appears to have been fixed in after
commit 3674815d1b0f7484454995e2737a352e0a6a93d8." } ]
}, "problemtype": { "problemtype_data": [ {
"descrip
tion": [ { "lang": "eng",
"value": "CWE-354: Improper Validation of Integrity Check Value"
} ] } ] }, "references": {
"reference_data": [ { "url": "https://github.com/
tomato42/tlslite-ng/pull/234" } ] } }
</cut>
Where to look for an online reference?
Thanks,
DS
--
4096R/DF5182C8 (stender@debian.org)
http://www.danielstender.com/
Reply to: