Web lists-archives.com

CVE tracking




Hi,

I received an email towards CVE-2018-1000159 (on tlslite-ng) and was about filing a bug
report against Debian BTS, but can't this CVE referenced neither in the NIST database nor in
the lists provided at MITRE.

However it appears the CVE have been assigned:

<cut>
{     "CVE_data_meta": {         "ASSIGNER": "kurt@xxxxxxxxxxxx",
"DATE_ASSIGNED": "2018-04-06T14:09:26.582381",         "DATE_REQUESTED":
"2018-03-27T07:54:48",         "ID": "CVE-2018-1000159",         "REQUESTER":
"hkario@xxxxxxxxxx"     },     "affects": {         "vendor": {
"vendor_data": [                 {                     "product": {
"product_data": [                             {
"product_name": "tlslite-ng",                                 "version": {
"version_data": [                                         {
"version_value": "0.7.3 and earlier, since commit
d7b288316bca7bcdd082e6ccff5491e241305233"
}                                     ]                                 }
}                         ]                     },                     "vend
 or_name": "tlslite-ng"                 }             ]         }     },
"data_format": "MITRE",     "data_type": "CVE",     "data_version": "4.0",
"description": {         "description_data": [             {
"lang": "eng",                 "value": "tlslite-ng version 0.7.3 and earlier,
since commit d7b288316bca7bcdd082e6ccff5491e241305233 contains a CWE-354:
Improper Validation of Integrity Check Value vulnerability in TLS
implementation, tlslite/utils/constanttime.py: ct_check_cbc_mac_and_pad();
line \"end_pos = data_len - 1 - mac.digest_size\" that can result in Attacker
can manipulate the TLS ciphertext and it won't be detected by receiving
tlslite-ng. This attack appear to be exploitable via man in the middle on a
network connection. This vulnerability appears to have been fixed in after
commit 3674815d1b0f7484454995e2737a352e0a6a93d8."             }         ]
},     "problemtype": {         "problemtype_data": [             {
"descrip
 tion": [                     {                         "lang": "eng",
"value": "CWE-354: Improper Validation of Integrity Check Value"
}                 ]             }         ]     },     "references": {
"reference_data": [             {                 "url": "https://github.com/
tomato42/tlslite-ng/pull/234"             }         ]     } }
</cut>

Where to look for an online reference?

Thanks,
DS

--
4096R/DF5182C8 (stender@xxxxxxxxxx)
http://www.danielstender.com/