Skip to content

Commit d58265d

Browse files
committed
add the openssl cve we already posted on github
1 parent be2d72f commit d58265d

5 files changed

Lines changed: 123 additions & 1 deletion

File tree

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,3 @@
11
*.json
22
.idea
3+
scripts/output/

latest-id.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
2025-4
1+
2025-6
Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
id: MNBSD-2022-0
2+
details: Fixes a security issue with NULL argv[0] entries, similar to the recent
3+
CVE with polkit on Linux. The current POC for that does not work on
4+
MidnightBSD since we don't use glibc, but proactively prevent similar issues.
5+
summary: Reject execve when new argc is zero
6+
affected:
7+
- package:
8+
name: kernel
9+
ecosystem: MidnightBSD
10+
ranges:
11+
- type: ECOSYSTEM
12+
events:
13+
- introduced: 0.1.0
14+
- fixed: 2.1.4
15+
versions:
16+
- 0.1.0
17+
- 0.1.1
18+
- 0.2.0
19+
- 0.2.1
20+
- 0.3.0
21+
- 0.4.0
22+
- 0.5.0
23+
- 0.6.0
24+
- 0.7.0
25+
- 0.8.0
26+
- 0.9.0
27+
- 1.0.0
28+
- 1.1.0
29+
- 1.2.0
30+
- 2.0.0
31+
- 2.0.1
32+
- 2.0.2
33+
- 2.1.0
34+
- 2.1.1
35+
- 2.1.2
36+
- 2.1.3
37+
references:
38+
- type: WEB
39+
url: https://github.com/MidnightBSD/src/commit/4348ca6320189db4db7e94d300f65d8c6f8a46ec
40+
aliases:
41+
modified: "2022-01-26T01:17:00.600Z"
42+
published: "2022-01-26T02:22:58.600Z"
Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
id: MNBSD-2022-1
2+
details: Fix multiple use after free and buffer overflows in libmport, a
3+
part of mport package manager.
4+
summary: multiple issues with memory handling in libmport
5+
affected:
6+
- package:
7+
name: mport
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: 0.4.0
13+
- fixed: 2.1.5
14+
versions:
15+
- 0.4.0
16+
- 0.5.0
17+
- 0.6.0
18+
- 0.7.0
19+
- 0.8.0
20+
- 0.9.0
21+
- 1.0.0
22+
- 1.1.0
23+
- 1.2.0
24+
- 2.0.0
25+
- 2.0.1
26+
- 2.0.2
27+
- 2.1.0
28+
- 2.1.1
29+
- 2.1.2
30+
- 2.1.3
31+
- 2.1.4
32+
references:
33+
- type: WEB
34+
url: https://github.com/MidnightBSD/src/commit/3deeda3406d66bd4db3a9f464ae7f626910afccb
35+
aliases:
36+
modified: "2022-02-10T01:17:00.600Z"
37+
published: "2022-02-10T02:22:58.600Z"
Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
id: MNBSD-2025-6
2+
summary: Out-of-bounds read in OpenSSL
3+
details: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an
4+
out-of-bounds read and write. This out-of-bounds read may trigger a crash which leads to Denial of
5+
Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences
6+
including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful
7+
exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low.
8+
Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was
9+
assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0
10+
are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.
11+
affected:
12+
- package:
13+
name: openssl
14+
ecosystem: MidnightBSD
15+
ranges:
16+
- type: ECOSYSTEM
17+
events:
18+
- introduced: 3.0.0
19+
- fixed: 3.2.4
20+
versions:
21+
- 3.0.0
22+
- 3.0.1
23+
- 3.0.2
24+
- 3.1.0
25+
- 3.1.1
26+
- 3.1.2
27+
- 3.1.3
28+
- 3.1.4
29+
- 3.1.5
30+
- 3.2.0
31+
- 3.2.1
32+
- 3.2.2
33+
- 3.2.3
34+
references:
35+
- type: WEB
36+
url: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9230
37+
- type: WEB
38+
url: https://github.com/MidnightBSD/src/commit/ad1cfffb414dd9f3e6787cd0e39c3d2b319addd5
39+
aliases:
40+
- CVE-2025-9230
41+
modified: "2025-09-30T10:30:00.600Z"
42+
published: "2025-09-30T10:30:00.600Z"

0 commit comments

Comments
 (0)