cuda-samples icon indicating copy to clipboard operation
cuda-samples copied to clipboard
verified publisher icon NVIDIA

Security Vulnerability: Alpine Linux 3.20, 3.21 - openssl Man-in-the-Middle Vulnerability - 3.3.3-r0

Open shwethadec01 opened this issue 7 months ago • 2 comments

we have found security vulnerability w.r.t open-ssl for NVIDIA/Cuda, kindly have a look and provide the fix

Summary

Inclusion of vulnerable OpenSSL from Alpine base image

Details

TLS and DTLS connections using raw public keys may be vulnerable to man-in-middle attacks when server authentication failure is not detected by clients. RPKs are disabled by default in both TLS clients and TLS servers. Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. [CVE-2024-12797] Vendor Affected Components: Alpine Linux: 3.20 Alpine Linux: 3.21.

Action Required

Upgrade the base Alpine image and ensure OpenSSL is patched.

CVEs:

CVE-2024-12797

shwethadec01 avatar May 06 '25 12:05 shwethadec01

Hi Team, As it's been a while without a response, could you please provide an update and let us know if the issue has been acknowledged?

shwethadec01 avatar May 10 '25 10:05 shwethadec01

Please also consider the following newly disclosed vulnerability: Security Vulnerability: GNU C Library (glibc) 2.13 <= 2.40 - Local Arbitrary Code Execution Vulnerability - 2.41 Affected Versions: 2.13 to 2.40 Fixed in: 2.41 Impact: Local Arbitrary Code Execution reference: GLIBC-SA-2025-0001

shwethadec01 avatar May 11 '25 11:05 shwethadec01