Date: Mon, 12 Sep 2022 12:58:36 GMT From: Ashish SHUKLA <ashish@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 894d2b9662fa - main - security/vuxml: Document vulnerability for net-im/dendrite Message-ID: <202209121258.28CCwaJv003573@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by ashish: URL: https://cgit.FreeBSD.org/ports/commit/?id=894d2b9662fa0ab0003e21fd8aee433bdf08e3ec commit 894d2b9662fa0ab0003e21fd8aee433bdf08e3ec Author: Ashish SHUKLA <ashish@FreeBSD.org> AuthorDate: 2022-09-12 12:53:25 +0000 Commit: Ashish SHUKLA <ashish@FreeBSD.org> CommitDate: 2022-09-12 12:56:53 +0000 security/vuxml: Document vulnerability for net-im/dendrite --- security/vuxml/vuln-2022.xml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml index d355a810401b..b0bb4fbf124a 100644 --- a/security/vuxml/vuln-2022.xml +++ b/security/vuxml/vuln-2022.xml @@ -1,3 +1,34 @@ + <vuln vid="4ebaa983-3299-11ed-95f8-901b0e9408dc"> + <topic>dendrite -- Signature checks not applied to some retrieved missing events</topic> + <affects> + <package> + <name>dendrite</name> + <range><lt>0.9.8</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Dendrite team reports:</p> + <blockquote cite="https://github.com/matrix-org/dendrite/security/advisories/GHSA-pfw4-xjgm-267c">; + <p>Events retrieved from a remote homeserver using /get_missing_events did + not have their signatures verified correctly. This could potentially allow + a remote homeserver to provide invalid/modified events to Dendrite via this + endpoint.</p> + <p>Note that this does not apply to events retrieved through other endpoints + (e.g. /event, /state) as they have been correctly verified.</p> + <p>Homeservers that have federation disabled are not vulnerable.</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/matrix-org/dendrite/security/advisories/GHSA-pfw4-xjgm-267c</url>; + </references> + <dates> + <discovery>2022-09-12</discovery> + <entry>2022-09-12</entry> + </dates> + </vuln> + <vuln vid="f75722ce-31b0-11ed-8b56-0800277bb8a8"> <topic>gitea -- multiple issues</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202209121258.28CCwaJv003573>