CVE-2016-20013
Publication date 19 February 2022
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.
Status
Package | Ubuntu Release | Status |
---|---|---|
dietlibc | 24.10 oracular |
Needs evaluation
|
24.04 LTS noble |
Needs evaluation
|
|
22.04 LTS jammy |
Needs evaluation
|
|
20.04 LTS focal |
Needs evaluation
|
|
18.04 LTS bionic |
Needs evaluation
|
|
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty | Ignored end of standard support | |
eglibc | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial | Not in release | |
14.04 LTS trusty |
Needs evaluation
|
|
glibc | 24.10 oracular |
Vulnerable, fix deferred
|
24.04 LTS noble |
Vulnerable, fix deferred
|
|
22.04 LTS jammy |
Vulnerable, fix deferred
|
|
20.04 LTS focal |
Vulnerable, fix deferred
|
|
18.04 LTS bionic |
Vulnerable, fix deferred
|
|
16.04 LTS xenial |
Vulnerable, fix deferred
|
|
14.04 LTS trusty | Not in release | |
sssd | 24.10 oracular |
Needs evaluation
|
24.04 LTS noble |
Needs evaluation
|
|
22.04 LTS jammy |
Needs evaluation
|
|
20.04 LTS focal |
Needs evaluation
|
|
18.04 LTS bionic |
Needs evaluation
|
|
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty | Ignored end of standard support | |
syslinux | 24.10 oracular |
Needs evaluation
|
24.04 LTS noble |
Needs evaluation
|
|
22.04 LTS jammy |
Needs evaluation
|
|
20.04 LTS focal |
Needs evaluation
|
|
18.04 LTS bionic |
Needs evaluation
|
|
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty |
Needs evaluation
|
|
syslinux-legacy | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal |
Needs evaluation
|
|
18.04 LTS bionic |
Needs evaluation
|
|
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty | Not in release | |
uclibc | 16.04 LTS xenial | Ignored end of standard support |
14.04 LTS trusty | Ignored end of standard support | |
zabbix | 24.10 oracular |
Needs evaluation
|
24.04 LTS noble | Not in release | |
22.04 LTS jammy |
Needs evaluation
|
|
20.04 LTS focal |
Needs evaluation
|
|
18.04 LTS bionic |
Needs evaluation
|
|
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty |
Needs evaluation
|
Notes
seth-arnold
Actually addressing this will likely require every site that is using these password storage formats to make plans for an orderly transition to argon2 or scrypt or similar before making configuration changes. We may mark all of these packages as 'ignored' without any further work.
rodrigo-zaiden
Despite the risks of applying any changes, there are no clues that glibc upstream will get this fixed. But just to make sure, before marking as ignored, I will mark as deferred as of 2022-06-01 so we can revisit it in the future.
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 · High |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |