Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2013-2566

Published: 15 March 2013

The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.

Notes

AuthorNote
jdstrand 
this is a protocol problem not specific to openssl. Using openssl
as a placeholder until more information is available
marking low for now until more information is available. At present,
naive attacks need tens to hundreds of millions of TLS connections. Optimized
attacks are not present yet.
marking deferred since there is no consensus on what to do (we can't
just disable RC4)
mdeslaur 
marking as ignored since there is no actionable item

Priority

Low

CVSS 3 base score: 5.9

Status

Package Release Status
firefox
Launchpad, Ubuntu, Debian 		lucid Ignored
(reached end-of-life)
precise
Released (25.0.1+build1-0ubuntu0.12.04.1)
quantal
Released (25.0.1+build1-0ubuntu0.12.10.1)
raring
Released (25.0.1+build1-0ubuntu0.13.04.1)
saucy
Released (25.0.1+build1-0ubuntu0.13.10.1)
upstream
Released (25.0.1)
openssl
Launchpad, Ubuntu, Debian 		hardy Ignored

lucid Ignored

oneiric Ignored

precise Ignored

quantal Ignored

raring Ignored

saucy Ignored

upstream Needs triage

thunderbird
Launchpad, Ubuntu, Debian 		lucid Ignored
(reached end-of-life)
precise
Released (1:24.1.1+build1-0ubuntu0.12.04.1)
quantal
Released (1:24.1.1+build1-0ubuntu0.12.10.1)
raring
Released (1:24.1.1+build1-0ubuntu0.13.04.1)
saucy
Released (1:24.1.1+build1-0ubuntu0.13.10.1)
upstream
Released (24.1.1)

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading