Your submission was sent successfully! Close

CVE-2016-20013

Published: 19 February 2022

sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.

Priority

Negligible

CVSS 3 base score: 7.5

Status

Package Release Status
dietlibc
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

impish Needs triage

jammy Needs triage

trusty Ignored
(out of standard support)
upstream Needs triage

xenial Ignored
(out of standard support)
eglibc
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

impish Does not exist

jammy Does not exist

trusty Needs triage

upstream Needs triage

xenial Does not exist

glibc
Launchpad, Ubuntu, Debian
bionic Deferred
(2022-06-01)
focal Deferred
(2022-06-01)
impish Deferred
(2022-06-01)
jammy Deferred
(2022-06-01)
trusty Does not exist

upstream Needs triage

xenial Deferred
(2022-06-01)
sssd
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

impish Needs triage

jammy Needs triage

trusty Ignored
(out of standard support)
upstream Needs triage

xenial Needs triage

syslinux
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

impish Needs triage

jammy Needs triage

trusty Needs triage

upstream Needs triage

xenial Needs triage

syslinux-legacy
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream Needs triage

xenial Needs triage

uclibc
Launchpad, Ubuntu, Debian
trusty Ignored
(out of standard support)
upstream Needs triage

xenial Ignored
(out of standard support)
zabbix
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

impish Needs triage

jammy Needs triage

trusty Needs triage

upstream Needs triage

xenial Ignored
(out of standard support)

Notes

AuthorNote
seth-arnold
Actually addressing this will likely require every site that
is using these password storage formats to make plans for an orderly
transition to argon2 or scrypt or similar before making configuration
changes. We may mark all of these packages as 'ignored' without any
further work.
rodrigo-zaiden
Despite the risks of applying any changes, there are no
clues that glibc upstream will get this fixed. But just to make sure,
before marking as ignored, I will mark as deferred as of 2022-06-01
so we can revisit it in the future.

References