[Git][security-tracker-team/security-tracker][master] Add additional notes to two CVEs relating to the marvin attack
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sun Jan 12 13:09:41 GMT 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d4414f78 by Salvatore Bonaccorso at 2025-01-12T14:08:55+01:00
Add additional notes to two CVEs relating to the marvin attack
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -950,6 +950,10 @@ CVE-2025-0306 (A vulnerability was found in Ruby. The Ruby interpreter is vulner
- ruby2.7 <removed>
NOTE: First upload of OpenSSL 3.2 to unstable was 3.2.1-3 on 04 Apr 2024
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2336100
+ NOTE: https://people.redhat.com/~hkario/marvin/
+ NOTE: Using OpenSSL/3.2.0 or later does not guarantee to mitigate the issue in all
+ NOTE: cases, but at least when using the default provider. It will be always up to
+ NOTE: the application to properly defend against this attack vector.
CVE-2025-0283 (A stack-based buffer overflow in Ivanti Connect Secure before version ...)
NOT-FOR-US: Ivanti
CVE-2025-0282 (A stack-based buffer overflow in Ivanti Connect Secure before version ...)
@@ -56958,6 +56962,7 @@ CVE-2024-2408 (The openssl_private_decrypt function in PHP, when using PKCS1 pad
- php7.3 <removed>
[buster] - php7.3 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/php/php-src/security/advisories/GHSA-hh26-4ppw-5864
+ NOTE: https://people.redhat.com/~hkario/marvin/
NOTE: The fix requires support in openssl. Marking the first upload of php8.2 to unstable
NOTE: after openssl 3.2.1-3 was uploaded to unstable in 04 Apr 2024 as the fixed version (8.2.18-1)
CVE-2024-25929 (Missing Authorization vulnerability in MultiVendorX Product Catalog En ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4414f789f3bf48ab6c9dc179cb564bb713f6d47
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4414f789f3bf48ab6c9dc179cb564bb713f6d47
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250112/f8b6259d/attachment.htm>
More information about the debian-security-tracker-commits
mailing list