Headline
CVE-2022-39237: Digital Signature Hash Algorithms Not Validated
syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the github.com/sylabs/sif/v2/pkg/integrity
package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.
Impact
The github.com/sylabs/sif/v2/pkg/integrity package does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.
Patches
A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade.
Workarounds
Users may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.
References
- CVE-2004-2761
- CVE-2005-4900
For more information
If you have any questions or comments about this advisory:
- Open an issue in github.com/sylabs/sif
- Email us at [email protected]
Related news
A vulnerability has been identified in PT-G503 Series firmware versions prior to v5.2, where the Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the cookie to be transmitted in plaintext over an HTTP session. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.
### Impact The `github.com/sylabs/sif/v2/pkg/integrity` package does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. ### Patches A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. ### Workarounds Users may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure. ### References * [CVE-2004-2761](https://nvd.nist.gov/vuln/detail/cve-2004-2761) * [CVE-2005-4900](https://nvd.nist.gov/vuln/detail/cve-2005-4900) ### For more information If you have any questions or comments about this advisory: * Open an issue in [github.com/sylabs/sif](https://github.com/sylabs/sif/issues/new) * Email us at [[email protected]](mailto:[email protected])
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).