[Git][security-tracker-team/security-tracker][master] Add set of octopki related CVEs (cfrpki)

Salvatore Bonaccorso (@carnil) carnil at debian.org
Fri Nov 12 08:25:51 GMT 2021



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
198632d9 by Salvatore Bonaccorso at 2021-11-12T09:25:15+01:00
Add set of octopki related CVEs (cfrpki)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2297,17 +2297,29 @@ CVE-2021-43034
 CVE-2021-43033
 	RESERVED
 CVE-2021-3912 (OctoRPKI tries to load the entire contents of a repository in memory,  ...)
-	TODO: check
+	- cfrpki 1.4.0-1
+	NOTE: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg
+	TODO: check correctness, there is distinction on github.com/cloudflare/cfrpki/cmd/octorpki and github.com/cloudflare/cfrpki/pki
 CVE-2021-3911 (If the ROA that a repository returns contains too many bits for the IP ...)
-	TODO: check
+	- cfrpki 1.4.0-1
+	NOTE: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22
+	TODO: check correctness, there is distinction on github.com/cloudflare/cfrpki/cmd/octorpki and github.com/cloudflare/cfrpki/pki
 CVE-2021-3910 (OctoRPKI crashes when encountering a repository that returns an invali ...)
-	TODO: check
+	- cfrpki 1.4.0-1
+	NOTE: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j
+	TODO: check correctness, there is distinction on github.com/cloudflare/cfrpki/cmd/octorpki and github.com/cloudflare/cfrpki/pki
 CVE-2021-3909 (OctoRPKI does not limit the length of a connection, allowing for a slo ...)
-	TODO: check
+	- cfrpki 1.4.0-1
+	NOTE: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244
+	TODO: check correctness, there is distinction on github.com/cloudflare/cfrpki/cmd/octorpki and github.com/cloudflare/cfrpki/pki
 CVE-2021-3908 (OctoRPKI does not limit the depth of a certificate chain, allowing for ...)
-	TODO: check
+	- cfrpki 1.4.0-1
+	NOTE: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq
+	TODO: check correctness, there is distinction on github.com/cloudflare/cfrpki/cmd/octorpki and github.com/cloudflare/cfrpki/pki
 CVE-2021-3907 (OctoRPKI does not escape a URI with a filename containing "..", this a ...)
-	TODO: check
+	- cfrpki 1.4.0-1
+	NOTE: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh
+	TODO: check correctness, there is distinction on github.com/cloudflare/cfrpki/cmd/octorpki and github.com/cloudflare/cfrpki/pki
 CVE-2021-3906 (bookstack is vulnerable to Unrestricted Upload of File with Dangerous  ...)
 	NOT-FOR-US: bookstack
 CVE-2018-25019 (The LearnDash LMS WordPress plugin before 2.5.4 does not have any auth ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/198632d92305243f4df6f31309df49eee83972ef

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/198632d92305243f4df6f31309df49eee83972ef
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211112/948b9fba/attachment.htm>


More information about the debian-security-tracker-commits mailing list