CVE-2024-25714

Published: 11 February 2024

In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp function that is vulnerable to side-channel attacks, because it stops the comparison when the first difference is spotted in the two signatures. (The fix uses gnutls_memcmp, which has constant-time execution.)

Priority

Status

Package	Release	Status
rhonabwy Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	jammy	Needs triage
	mantic	Ignored (end of life, was needs-triage)
	noble	Needs triage
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
	Patches: upstream: https://github.com/babelouest/rhonabwy/commit/f9fd9a1c77e48b514ebb3baf0360f87eef3d846e

References

https://www.cve.org/CVERecord?id=CVE-2024-25714
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.