Skip to content

[automatic] Publish 35 advisories for MbedTLS_jll #125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[automatic] Publish 35 advisories for MbedTLS_jll #125

wants to merge 1 commit into from

Conversation

@jlsec-bot
Copy link
Contributor

@jlsec-bot jlsec-bot commented Oct 1, 2025

This action searched --project=mbedtls, checking 59 (+0) advisories from NVD and 276 (+13) from EUVD for advisories that pertain here. It identified 35 advisories as being related to the Julia package(s): MbedTLS_jll.

11 advisories apply to all registered versions of a package

These advisories had no obvious failures but computed a range without bounds.

  • CVE-2021-43666 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["*"]
      • arm:mbed_tls at <= 3.0.0 is unbounded
  • CVE-2021-45451 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["*"]
      • arm:mbed_tls at < 3.1.0 is unbounded
  • CVE-2023-52353 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["*"]
      • arm:mbed_tls at < 3.5.2 is unbounded
  • CVE-2024-23170 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["*"]
      • arm:mbed_tls at >= 2.0.0, < 2.28.7 is unbounded
  • CVE-2024-23775 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["*"]
      • arm:mbed_tls at >= 2.0.0, < 2.28.7 is unbounded
  • CVE-2024-28960 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["*"]
      • arm:mbed_tls at >= 2.1.8, < 2.28.8 is unbounded
  • CVE-2025-27809 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["*"]
      • arm:mbed_tls at < 2.28.10 is unbounded
  • CVE-2025-47917 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["*"]
      • arm:mbed_tls at < 3.6.4 is unbounded
  • CVE-2025-48965 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["*"]
      • arm:mbed_tls at < 3.6.4 is unbounded
  • CVE-2025-52496 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["*"]
      • arm:mbed_tls at < 3.6.4 is unbounded
  • CVE-2025-52497 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["*"]
      • arm:mbed_tls at < 3.6.4 is unbounded

2 advisories apply to the latest version of a package and do not have a patch

  • CVE-2021-36647 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.27.0+0", ">= 2.28.0+0"]
      • arm:mbed_tls at >= 2.28.0, < 3.0.0 mapped to [>= 2.28.0+0]
  • CVE-2024-45157 for packages: MbedTLS_jll
    • MbedTLS_jll computed [">= 2.26.0+0"]
      • arm:mbed_tls at >= 2.26.0, < 2.28.9 mapped to [>= 2.26.0+0]

22 advisories found concrete vulnerable ranges

  • CVE-2019-16910 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.6+0"]
  • CVE-2019-18222 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.6+0"]
  • CVE-2020-10932 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.6+0"]
  • CVE-2020-10941 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.6+0"]
  • CVE-2020-16150 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.8+0"]
  • CVE-2020-36421 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.8+0"]
  • CVE-2020-36422 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.8+0"]
  • CVE-2020-36423 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.8+0"]
  • CVE-2020-36424 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.8+0"]
  • CVE-2020-36425 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.8+0"]
  • CVE-2020-36426 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.8+0"]
  • CVE-2020-36475 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.25.0+0"]
  • CVE-2020-36476 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.8+0"]
  • CVE-2020-36477 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.24.0+0"]
  • CVE-2020-36478 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.25.0+0"]
  • CVE-2021-24119 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.26.0+0"]
  • CVE-2021-44732 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.28.0+0"]
  • CVE-2021-45450 for packages: MbedTLS_jll
    • MbedTLS_jll computed [">= 2.24.0+0, < 2.28.0+0"]
  • CVE-2022-35409 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.28.2+0"]
  • CVE-2022-46392 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.28.2+0"]
  • CVE-2022-46393 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.28.2+0"]
  • CVE-2023-43615 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.28.6+0"]

@mbauman mbauman mentioned this pull request Oct 1, 2025
Merged
@mbauman mbauman deleted the branch JuliaLang:mb/extract-metadata October 1, 2025 16:12
@mbauman mbauman closed this Oct 1, 2025
@mbauman mbauman added the DONOTUSEJLSEC Testing data prior to publishing real JLSEC identifiers label Oct 6, 2025
@mbauman mbauman mentioned this pull request Nov 3, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

DONOTUSEJLSEC Testing data prior to publishing real JLSEC identifiers

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jlsec-bot @mbauman