MGASA-2020-0315

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2020-0315.html

Import Source

https://advisories.mageia.org/MGASA-2020-0315.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2020-0315

Published

2020-08-16T12:06:16Z

Modified

2026-04-16T04:25:46.900276Z

Summary

Updated mumble packages fix security vulnerability

Details

Updated mumble package fixes security vulnerability:

OCB2 is known to be broken under certain conditions: https://eprint.iacr.org/2019/311

To execute the universal attacks described in the paper, an attacker needs access to an encryption oracle that allows it to perform encryption queries with attacker-chosen nonce. Luckily in Mumble the encryption nonce is a fixed counter which is far too restrictive for the universal attacks to be feasible against Mumble.

The basic attacks do not require an attacker-chosen nonce and as such are more applicable to Mumble. They are however of limited use and do require an en- and a decryption oracle which Mumble seemingly does not provide at the same time.

To be on the safe side, this commit implements the counter-cryptanalysis measure described in the paper in section 9 for the sender and receiver side. This way if either server of client are patched, their communication is almost certainly (merely lacking formal proof) not susceptible to the attacks described in the paper.

Fixed: Potential exploit in the OCB2 encryption (#4227)

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:7 / mumble

Package

Name: mumble
Purl: pkg:rpm/mageia/mumble?arch=source&distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.2-1.mga7

Ecosystem specific

{
    "section": "core"
}

Database specific

source

"https://advisories.mageia.org/MGASA-2020-0315.json"