Debian M2Crypto vulnerabilities

CVE-2023-50781 [HIGH] CVE-2023-50781: m2crypto - A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt ... A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. Scope: local bookworm: open bullseye: open trixie: resolved (fixed in 0.40.1-3)

CVE-2020-25657 [MEDIUM] CVE-2020-25657: m2crypto - A flaw was found in all released versions of m2crypto, where they are vulnerable... A flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API via the timed processing of valid PKCS#1 v1.5 Ciphertext. The highest threat from this vulnerability is to confidentiality. Scope: local bookworm: resolved (fixed in 0.38.0-4) bullseye: open trixie: resolved (fixed in 0.38.0-

CVE-2009-0127 [MEDIUM] CVE-2009-0127: m2crypto - M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFin... M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this r