[Git][security-tracker-team/security-tracker][master] add entries for ALPACA

Tue, 20 Jul 2021 06:43:13 -0700 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
98dee458 by Moritz Muehlenhoff at 2021-07-20T15:42:37+02:00
add entries for ALPACA

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3363,7 +3363,24 @@ CVE-2021-35475 (SAS Environment Manager 2.5 allows XSS 
through the Name field wh
 CVE-2021-3618
        RESERVED
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1975623
-       TODO: check details, protocol implementation issue for various TLS 
servers implementations
+       NOTE: https://alpaca-attack.com/
+       NOTE: Generic TLS protocol issue, some applications have released 
mitigations:
+       NOTE: nginx: http://hg.nginx.org/nginx/rev/ec1071830799
+       NOTE: vsftpd: https://security.appspot.com/vsftpd/Changelog.txt (3.0.4)
+       NOTE:    * Close the control connection after 10 unknown commands 
pre-login.
+       NOTE:    * Reject any TLS ALPN advertisement that's not 'ftp'.
+       NOTE:    * Add ssl_sni_hostname option to require a match on incoming 
SNI hostname.
+       NOTE: sendmail: Fixed in 3.16.1: 
https://marc.info/?l=sendmail-announce&m=159394546814125&w=2
+       NOTE: exim4 has config option: 
https://lists.exim.org/lurker/message/20210609.200324.f0e073ed.el.html
+       - nginx <unfixed>
+       [bullseye] - nginx <no-dsa> (Minor issue)
+       [buster] - nginx <no-dsa> (Minor issue)
+       - vsftpd <unfixed>
+       [bullseye] - vsftpd <no-dsa> (Minor issue)
+       [buster] - vsftpd <no-dsa> (Minor issue)
+       - sendmail <unfixed>
+       [bullseye] - sendmail <no-dsa> (Minor issue)
+       [buster] - sendmail <no-dsa> (Minor issue)
 CVE-2021-3617
        RESERVED
 CVE-2021-3616



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98dee4586efa00b964e4de5d25fab967d528ca8b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98dee4586efa00b964e4de5d25fab967d528ca8b
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to