CVE-2016-20013
Publication date 19 February 2022
Last updated 14 August 2025
Ubuntu priority
sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| eglibc | 25.04 plucky | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Ignored | |
| glibc | 25.04 plucky | Ignored |
| 24.04 LTS noble | Ignored | |
| 22.04 LTS jammy | Ignored | |
| 20.04 LTS focal | Ignored | |
| 18.04 LTS bionic | Ignored | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Not in release | |
| syslinux-legacy | 25.04 plucky | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Ignored | |
| 18.04 LTS bionic | Ignored | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Not in release | |
| dietlibc | 25.04 plucky | Ignored |
| 24.04 LTS noble | Ignored | |
| 22.04 LTS jammy | Ignored | |
| 20.04 LTS focal | Ignored | |
| 18.04 LTS bionic | Ignored | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored end of standard support | |
| sssd | 25.04 plucky | Ignored |
| 24.04 LTS noble | Ignored | |
| 22.04 LTS jammy | Ignored | |
| 20.04 LTS focal | Ignored | |
| 18.04 LTS bionic | Ignored | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored end of standard support | |
| syslinux | 25.04 plucky | Ignored |
| 24.04 LTS noble | Ignored | |
| 22.04 LTS jammy | Ignored | |
| 20.04 LTS focal | Ignored | |
| 18.04 LTS bionic | Ignored | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored | |
| zabbix | 25.04 plucky | Ignored |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Ignored | |
| 20.04 LTS focal | Ignored | |
| 18.04 LTS bionic | Ignored | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored | |
| uclibc | 16.04 LTS xenial | Ignored end of standard support |
| 14.04 LTS trusty | Ignored end of standard support |
Notes
seth-arnold
Actually addressing this will likely require every site that is using these password storage formats to make plans for an orderly transition to argon2 or scrypt or similar before making configuration changes. We may mark all of these packages as 'ignored' without any further work.
rodrigo-zaiden
Despite the risks of applying any changes, there are no clues that glibc upstream will get this fixed. But just to make sure, before marking as ignored, I will mark as deferred as of 2022-06-01 so we can revisit it in the future.
mdeslaur
Marking this CVE as ignored as there is no way of fixing this.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |