From nobody Thu May 28 05:30:22 2026
X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gQw733Hmbz6f5dx
	for <dev-commits-ports-main@mlmmj.nyi.freebsd.org>; Thu, 28 May 2026 05:30:23 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gQw7245f5z3RRr
	for <dev-commits-ports-main@FreeBSD.org>; Thu, 28 May 2026 05:30:22 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1779946222;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=1rrnpJ4ZXOywSfT4pmxtEoP37BQdQjNEuiGD6Oefn54=;
	b=itEvJFh0injGNV83N94+bVvYXKrZQQ/xb3a+1Scarjnz51ClfvPngkuRnXDDbuqq/1IzME
	diPjE+6SmY0f4Ulnd/cqPmoFCtTlzjCf7mtYe0sgSeQgyKe/t11JCSRhxDDVnWqWYEFvWs
	Sib3tviFbDjXNcW55TqSOp69do1e9quw1ngr7XTtdcEUCrtRwRKnHJxBJhzJ7HHECsQRnP
	MaCXgZU3XyeCIaLqONTALbb62BA8WEsdbOQOrZHlBeA8XHmfBa4CbcUM7Y3dHNeDSwRut+
	hOzOx+sOJsKIYkxthODFUkjCMHJXa0teNhezSgzDBWjTzVoDHWGfaufJ5i0SAA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779946222; a=rsa-sha256; cv=none;
	b=wDAjqzLnbicUXgZNLywZOiTvkyBwXtbCMu3mmlFN1KfL2ruuRThsHsSKlyDUlF5OjfpV4m
	TdsfzFvdpXvwDBQqyN8DDQeJ3mtS6R/l5VfMu5idG79XeIGP7/rB70cR/zZoDzFVd3gPVt
	3iRVMpPig8BBCsaBM8A0Z7uIuWyy/6O88BW36OE02RDMU0riYHsermtNywl9WJB2llTTlI
	XXwhJ1+usyMVXfYZmpp4pdleW93DQZwIKRe7qxTjyOP6s9qfam8jfdxNzuK9MWcMpPfuTp
	4teVhgNN2Iw4jKjUX1u+VWIs5/5bZ5+9gGVQwaS7KzBf+BX5oKQu3jbzlQiRCQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1779946222;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=1rrnpJ4ZXOywSfT4pmxtEoP37BQdQjNEuiGD6Oefn54=;
	b=loZOH6oPWfmLH4sJpA3D6WVbLDTRNlLZwyiigLeBpnp3ZURTAQcNGhFWJgj9WovCMasbS+
	AL/DDTBS54YkEuW3qzW76V7EiCtltf5fLr3ev7TYgLOVg9CaKmr5e4A1aeMHoIVRKy0U1n
	+oYOX0qMnZGUxsU7uSXclMip436NmIk9LR1M1yGfqtuea0CHKtGNhzmBIIPhZK+O2qWPYR
	r/hWI6h1SWt1LVKf7+Z14fFJD/L3Wfa+H3+RSS6UkPD0FDXMQLllcsoS7Vnq1kBf5tk2Dt
	/nwY/i1/jpqVkmlc17vWVrIgxQnJzgzF/gPSPqJMKLtQub0db13LCTvIgCtAdw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gQw723grHzXnr
	for <dev-commits-ports-main@FreeBSD.org>; Thu, 28 May 2026 05:30:22 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 4052f
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Thu, 28 May 2026 05:30:22 +0000
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
From: Jimmy Olgeni <olgeni@FreeBSD.org>
Subject: git: 64794e974307 - main - security/vuxml: Document Erlang/OTP TLS/public_key vulnerabilities
List-Id: Commits to the main branch of the FreeBSD ports repository <dev-commits-ports-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main
List-Help: <mailto:dev-commits-ports-main+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-ports-main@freebsd.org
Sender: owner-dev-commits-ports-main@FreeBSD.org
List-Id: <dev-commits-ports-main.FreeBSD.org>
List-Post: <mailto:dev-commits-ports-main@FreeBSD.org>
List-Help: <mailto:dev-commits-ports-main+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-ports-main+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-ports-main+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: olgeni
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 64794e974307779e6d74a7f40b3fa36fb488e944
Auto-Submitted: auto-generated
Date: Thu, 28 May 2026 05:30:22 +0000
Message-Id: <6a17d2ee.4052f.1b961898@gitrepo.freebsd.org>

The branch main has been updated by olgeni:

URL: https://cgit.FreeBSD.org/ports/commit/?id=64794e974307779e6d74a7f40b3fa36fb488e944

commit 64794e974307779e6d74a7f40b3fa36fb488e944
Author:     Jimmy Olgeni <olgeni@FreeBSD.org>
AuthorDate: 2026-05-28 05:19:40 +0000
Commit:     Jimmy Olgeni <olgeni@FreeBSD.org>
CommitDate: 2026-05-28 05:27:23 +0000

    security/vuxml: Document Erlang/OTP TLS/public_key vulnerabilities
---
 security/vuxml/vuln/2026.xml | 132 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 132 insertions(+)

diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml
index 8b1de1c59a8d..37b02c4b3031 100644
--- a/security/vuxml/vuln/2026.xml
+++ b/security/vuxml/vuln/2026.xml
@@ -1,3 +1,135 @@
+  <vuln vid="93576148-5a54-11f1-b886-4c526214c986">
+    <topic>Erlang/OTP -- TLS hostname verification bypass via Subject CommonName fallback and name constraints</topic>
+    <affects>
+      <package>
+	<name>erlang</name>
+	<range><ge>19.3</ge><lt>26.2.5.21,4</lt></range>
+      </package>
+      <package>
+	<name>erlang-runtime27</name>
+	<range><lt>27.3.4.12</lt></range>
+      </package>
+      <package>
+	<name>erlang-runtime28</name>
+	<range><lt>28.5.0.1</lt></range>
+      </package>
+      <package>
+	<name>erlang-runtime29</name>
+	<range><lt>29.0.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>https://github.com/erlang/otp/security/advisories/GHSA-22cw-4ph4-6447 reports:</p>
+	<blockquote cite="https://github.com/erlang/otp/security/advisories/GHSA-22cw-4ph4-6447">
+	  <p>Erlang/OTP's TLS hostname verification implements a legacy
+	  RFC 6125 fallback that checks the Subject CommonName when the
+	  Subject Alternative Name (SAN) extension is absent, rather
+	  than following RFC 9525 which requires validation to fail
+	  without SAN. Combined with weak handling of X.509 Name
+	  Constraints, this enables man-in-the-middle attacks when an
+	  attacker controls a DNS-constrained sub-CA and can intercept
+	  network traffic, allowing forgery of certificates for
+	  unauthorized domains.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2026-42790</cvename>
+      <url>https://github.com/erlang/otp/security/advisories/GHSA-22cw-4ph4-6447</url>
+    </references>
+    <dates>
+      <discovery>2026-05-27</discovery>
+      <entry>2026-05-28</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="9357a450-5a54-11f1-b886-4c526214c986">
+    <topic>Erlang/OTP -- public_key accepts non-CA certificate as intermediate issuer</topic>
+    <affects>
+      <package>
+	<name>erlang</name>
+	<range><ge>17.0</ge><lt>26.2.5.21,4</lt></range>
+      </package>
+      <package>
+	<name>erlang-runtime27</name>
+	<range><lt>27.3.4.12</lt></range>
+      </package>
+      <package>
+	<name>erlang-runtime28</name>
+	<range><lt>28.5.0.1</lt></range>
+      </package>
+      <package>
+	<name>erlang-runtime29</name>
+	<range><lt>29.0.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>https://github.com/erlang/otp/security/advisories/GHSA-c99q-jmpx-v8qq reports:</p>
+	<blockquote cite="https://github.com/erlang/otp/security/advisories/GHSA-c99q-jmpx-v8qq">
+	  <p>Erlang/OTP's public_key application contains a
+	  path-validation flaw where non-CA certificates lacking
+	  keyUsage extensions can be accepted as intermediate issuers.
+	  An attacker with an end-entity certificate issued by a
+	  trusted CA can exploit this to forge arbitrary leaf
+	  certificates, allowing public_key:pkix_path_validation/3 to
+	  validate fraudulent certificate chains and potentially
+	  compromise systems relying on SSL/TLS validation.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2026-42789</cvename>
+      <url>https://github.com/erlang/otp/security/advisories/GHSA-c99q-jmpx-v8qq</url>
+    </references>
+    <dates>
+      <discovery>2026-05-27</discovery>
+      <entry>2026-05-28</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="9357d6fb-5a54-11f1-b886-4c526214c986">
+    <topic>Erlang/OTP -- OCSP responder certificate accepted after expiry in public_key</topic>
+    <affects>
+      <package>
+	<name>erlang-runtime27</name>
+	<range><lt>27.3.4.12</lt></range>
+      </package>
+      <package>
+	<name>erlang-runtime28</name>
+	<range><lt>28.5.0.1</lt></range>
+      </package>
+      <package>
+	<name>erlang-runtime29</name>
+	<range><lt>29.0.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>https://github.com/erlang/otp/security/advisories/GHSA-cjxj-wj6x-3fff reports:</p>
+	<blockquote cite="https://github.com/erlang/otp/security/advisories/GHSA-cjxj-wj6x-3fff">
+	  <p>Erlang/OTP's public_key application fails to validate the
+	  validity period of OCSP responder certificates during
+	  response verification. An attacker possessing an expired
+	  OCSP responder's private key can forge responses that the
+	  system accepts as valid, potentially allowing acceptance of
+	  revoked TLS certificates in OCSP stapling scenarios or
+	  authentication bypass in applications using the
+	  public_key:pkix_ocsp_validate/5 API directly.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2026-42791</cvename>
+      <url>https://github.com/erlang/otp/security/advisories/GHSA-cjxj-wj6x-3fff</url>
+    </references>
+    <dates>
+      <discovery>2026-05-27</discovery>
+      <entry>2026-05-28</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="9bcc3279-5901-11f1-b525-3c7c3fba4204">
     <topic>Grafana -- Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS</topic>
     <affects>