[Secure-testing-team] Bug#866257: tpm2-tools: CVE-2017-7524
Salvatore Bonaccorso
carnil at debian.org
Wed Jun 28 19:29:05 UTC 2017
Source: tpm2-tools
Version: 1.1-1
Severity: important
Tags: security upstream patch
Hi,
the following vulnerability was published for tpm2-tools.
CVE-2017-7524[0]:
| tpm2-tools versions before 1.1.1 are vulnerable to a password leak due
| to transmitting password in plaintext from client to server when
| generating HMAC.
The code evolved quite a bit after
462f35ad5de538cf5961806918a18c22add92c00 upstream, but the issue
should be present back and before there in the source.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7524
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7524
[1] https://github.com/01org/tpm2.0-tools/commit/c5d72beaab1cbbbe68271f4bc4b6670d69985157
Regards,
Salvatore
More information about the Secure-testing-team
mailing list