[Git][security-tracker-team/security-tracker][master] Add additional notes to two CVEs relating to the marvin attack

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sun Jan 12 13:09:41 GMT 2025 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d4414f78 by Salvatore Bonaccorso at 2025-01-12T14:08:55+01:00
Add additional notes to two CVEs relating to the marvin attack

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -950,6 +950,10 @@ CVE-2025-0306 (A vulnerability was found in Ruby. The Ruby interpreter is vulner
 	- ruby2.7 <removed>
 	NOTE: First upload of OpenSSL 3.2 to unstable was 3.2.1-3 on 04 Apr 2024
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2336100
+	NOTE: https://people.redhat.com/~hkario/marvin/
+	NOTE: Using OpenSSL/3.2.0 or later does not guarantee to mitigate the issue in all
+	NOTE: cases, but at least when using the default provider. It will be always up to
+	NOTE: the application to properly defend against this attack vector.
 CVE-2025-0283 (A stack-based buffer overflow in Ivanti Connect Secure before version  ...)
 	NOT-FOR-US: Ivanti
 CVE-2025-0282 (A stack-based buffer overflow in Ivanti Connect Secure before version  ...)
@@ -56958,6 +56962,7 @@ CVE-2024-2408 (The openssl_private_decrypt function in PHP, when using PKCS1 pad
 	- php7.3 <removed>
 	[buster] - php7.3 <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/php/php-src/security/advisories/GHSA-hh26-4ppw-5864
+	NOTE: https://people.redhat.com/~hkario/marvin/
 	NOTE: The fix requires support in openssl. Marking the first upload of php8.2 to unstable
 	NOTE: after openssl 3.2.1-3 was uploaded to unstable in 04 Apr 2024 as the fixed version (8.2.18-1)
 CVE-2024-25929 (Missing Authorization vulnerability in MultiVendorX Product Catalog En ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4414f789f3bf48ab6c9dc179cb564bb713f6d47

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4414f789f3bf48ab6c9dc179cb564bb713f6d47
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250112/f8b6259d/attachment.htm>

More information about the debian-security-tracker-commits mailing list