SUSE SLED15 / SLES15 / openSUSE 15 Security Update : rage-encryption (SUSE-SU-2023:4060-1)

medium Nessus Plugin ID 183017

Language:

Synopsis

The remote SUSE host is missing a security update.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:4060-1 advisory.

-CVE-2023-42811: chosen ciphertext attack possible against aes-gcm (bsc#1215657)

* update vendor.tar.zst to contain aes-gcm >= 0.10.3

- Update to version 0.9.2+0:

* CI: Ensure `apt` repository is up-to-date before installing build deps
* CI: Build Linux releases using `ubuntu-20.04` runner
* CI: Remove most uses of `actions-rs` actions

- Update to version 0.9.2+0:

* Fix changelog bugs and add missing entry
* Document `PINENTRY_PROGRAM` environment variable
* age: Add `Decryptor::new_async_buffered`
* age: `impl AsyncBufRead for ArmoredReader`
* Pre-initialize vectors when the capacity is known, or use arrays
* Use `PINENTRY_PROGRAM` as environment variable for `pinentry`
* Document why `impl AsyncWrite for StreamWriter` doesn't loop indefinitely
* cargo update
* cargo vet prune
* Migrate to `cargo-vet 0.7`
* build(deps): bump svenstaro/upload-release-action from 2.5.0 to 2.6.1
* Correct spelling in documentation
* build(deps): bump codecov/codecov-action from 3.1.1 to 3.1.4
* StreamWriter AsyncWrite: fix usage with futures::io::copy()
* rage: Use `Decryptor::new_buffered`
* age: Add `Decryptor::new_buffered`
* age: `impl BufRead for ArmoredReader`
* Update Homebrew formula to v0.9.1
* feat/pinentry: Use env var to define pinentry binary

- Update to version 0.9.1+0:

* ssh: Fix parsing of OpenSSH private key format
* ssh: Support `[email protected]` ciphers for encrypted keys
* ssh: Add `[email protected]` cipher to test cases
* ssh: Extract common key material derivation logic for encrypted keys
* ssh: Use associated constants for key and IV sizes
* ssh: Add test cases for encrypted keys
- Add shell completions for fish and zsh.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected rage-encryption and / or rage-encryption-bash-completion packages.

See Also

https://bugzilla.suse.com/1215657

https://www.suse.com/security/cve/CVE-2023-42811

http://www.nessus.org/u?b0d64fc3

Plugin Details

Severity: Medium

ID: 183017

File Name: suse_SU-2023-4060-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 10/13/2023

Updated: 6/26/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.6

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2023-42811

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:rage-encryption, p-cpe:/a:novell:suse_linux:rage-encryption-bash-completion, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/12/2023

Vulnerability Publication Date: 9/21/2023

Reference Information

CVE: CVE-2023-42811

SuSE: SUSE-SU-2023:4060-1