Skip to content

Advisory and JSON files for Jan27 release #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
t8m merged 4 commits into from
Jan 27, 2026
Merged

Advisory and JSON files for Jan27 release #13

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d502373
newsflash.md: Add a note about the file being obsolete
t8m Jan 27, 2026
c074023
Add the advisory for the 2026-01-27 release
t8m Jan 27, 2026
66547c2
Add CVE json files for the 2026-01-27 release
t8m Jan 27, 2026
35544b8
Jan 27 advisory: Add note about unsupported releases
t8m Jan 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions newsflash.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
This file is obsolete. It is kept here just for the history of news entries.

| Date | Title |
| ----------- | ----- |
| 22-May-2025 | [Security Advisory](/news/secadv/20250522.txt): one low severity fix. |
Expand Down
493 changes: 493 additions & 0 deletions secadv/20260127.txt
View file
Open in desktop

Large diffs are not rendered by default.

148 changes: 148 additions & 0 deletions secjson/CVE-2025-11187.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"lessThan": "3.6.1",
"status": "affected",
"version": "3.6.0",
"versionType": "semver"
},
{
"lessThan": "3.5.5",
"status": "affected",
"version": "3.5.0",
"versionType": "semver"
},
{
"lessThan": "3.4.4",
"status": "affected",
"version": "3.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Stanislav Fort (Aisle Research)"
},
{
"lang": "en",
"type": "reporter",
"value": "Petr Šimeček (Aisle Research)"
},
{
"lang": "en",
"type": "reporter",
"value": "Hamza (Metadust)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Tomáš Mráz"
}
],
"datePublic": "2026-01-27T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation<br>which can trigger a stack-based buffer overflow, invalid pointer or NULL<br>pointer dereference during MAC verification.<br><br>Impact summary: The stack buffer overflow or NULL pointer dereference may<br>cause a crash leading to Denial of Service for an application that parses<br>untrusted PKCS#12 files. The buffer overflow may also potentially enable<br>code execution depending on platform mitigations.<br><br>When verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2<br>salt and keylength parameters from the file are used without validation.<br>If the value of keylength exceeds the size of the fixed stack buffer used<br>for the derived key (64 bytes), the key derivation will overflow the buffer.<br>The overflow length is attacker-controlled. Also, if the salt parameter is<br>not an OCTET STRING type this can lead to invalid or NULL pointer<br>dereference.<br><br>Exploiting this issue requires a user or application to process<br>a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted<br>PKCS#12 files in applications as they are usually used to store private<br>keys which are trusted by definition. For this reason the issue was assessed<br>as Moderate severity.<br><br>The FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as<br>PKCS#12 processing is outside the OpenSSL FIPS module boundary.<br><br>OpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue.<br><br>OpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do<br>not support PBMAC1 in PKCS#12."
}
],
"value": "Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation\nwhich can trigger a stack-based buffer overflow, invalid pointer or NULL\npointer dereference during MAC verification.\n\nImpact summary: The stack buffer overflow or NULL pointer dereference may\ncause a crash leading to Denial of Service for an application that parses\nuntrusted PKCS#12 files. The buffer overflow may also potentially enable\ncode execution depending on platform mitigations.\n\nWhen verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2\nsalt and keylength parameters from the file are used without validation.\nIf the value of keylength exceeds the size of the fixed stack buffer used\nfor the derived key (64 bytes), the key derivation will overflow the buffer.\nThe overflow length is attacker-controlled. Also, if the salt parameter is\nnot an OCTET STRING type this can lead to invalid or NULL pointer\ndereference.\n\nExploiting this issue requires a user or application to process\na maliciously crafted PKCS#12 file. It is uncommon to accept untrusted\nPKCS#12 files in applications as they are usually used to store private\nkeys which are trusted by definition. For this reason the issue was assessed\nas Moderate severity.\n\nThe FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as\nPKCS#12 processing is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue.\n\nOpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do\nnot support PBMAC1 in PKCS#12."
}
],
"metrics": [
{
"format": "other",
"other": {
"content": {
"text": "Moderate"
},
"type": "https://openssl-library.org/policies/general/security-policy/"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000",
"shortName": "openssl"
},
"references": [
{
"name": "OpenSSL Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://openssl-library.org/news/secadv/20260127.txt"
},
{
"name": "3.6.1 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/8caf359d6e46fb413e8f5f0df765d2e8a51df4e8"
},
{
"name": "3.5.5 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/e1079bc17ed93ff16f6b86f33a2fe3336e78817e"
},
{
"name": "3.4.4 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/205e3a55e16e4bd08c12fdbd3416ab829c0f6206"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper validation of PBMAC1 parameters in PKCS#12 MAC verification",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"cveId": "CVE-2025-11187",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
158 changes: 158 additions & 0 deletions secjson/CVE-2025-15467.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,158 @@
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"lessThan": "3.6.1",
"status": "affected",
"version": "3.6.0",
"versionType": "semver"
},
{
"lessThan": "3.5.5",
"status": "affected",
"version": "3.5.0",
"versionType": "semver"
},
{
"lessThan": "3.4.4",
"status": "affected",
"version": "3.4.0",
"versionType": "semver"
},
{
"lessThan": "3.3.6",
"status": "affected",
"version": "3.3.0",
"versionType": "semver"
},
{
"lessThan": "3.0.19",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Stanislav Fort (Aisle Research)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Igor Ustinov"
}
],
"datePublic": "2026-01-27T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Issue summary: Parsing CMS AuthEnvelopedData message with maliciously<br>crafted AEAD parameters can trigger a stack buffer overflow.<br><br>Impact summary: A stack buffer overflow may lead to a crash, causing Denial<br>of Service, or potentially remote code execution.<br><br>When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as<br>AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is<br>copied into a fixed-size stack buffer without verifying that its length fits<br>the destination. An attacker can supply a crafted CMS message with an<br>oversized IV, causing a stack-based out-of-bounds write before any<br>authentication or tag verification occurs.<br><br>Applications and services that parse untrusted CMS or PKCS#7 content using<br>AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable.<br>Because the overflow occurs prior to authentication, no valid key material<br>is required to trigger it. While exploitability to remote code execution<br>depends on platform and toolchain mitigations, the stack-based write<br>primitive represents a severe risk.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this<br>issue, as the CMS implementation is outside the OpenSSL FIPS module<br>boundary.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.<br><br>OpenSSL 1.1.1 and 1.0.2 are not affected by this issue."
}
],
"value": "Issue summary: Parsing CMS AuthEnvelopedData message with maliciously\ncrafted AEAD parameters can trigger a stack buffer overflow.\n\nImpact summary: A stack buffer overflow may lead to a crash, causing Denial\nof Service, or potentially remote code execution.\n\nWhen parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as\nAES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is\ncopied into a fixed-size stack buffer without verifying that its length fits\nthe destination. An attacker can supply a crafted CMS message with an\noversized IV, causing a stack-based out-of-bounds write before any\nauthentication or tag verification occurs.\n\nApplications and services that parse untrusted CMS or PKCS#7 content using\nAEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable.\nBecause the overflow occurs prior to authentication, no valid key material\nis required to trigger it. While exploitability to remote code execution\ndepends on platform and toolchain mitigations, the stack-based write\nprimitive represents a severe risk.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the CMS implementation is outside the OpenSSL FIPS module\nboundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.\n\nOpenSSL 1.1.1 and 1.0.2 are not affected by this issue."
}
],
"metrics": [
{
"format": "other",
"other": {
"content": {
"text": "High"
},
"type": "https://openssl-library.org/policies/general/security-policy/"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000",
"shortName": "openssl"
},
"references": [
{
"name": "OpenSSL Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://openssl-library.org/news/secadv/20260127.txt"
},
{
"name": "3.6.1 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/2c8f0e5fa9b6ee5508a0349e4572ddb74db5a703"
},
{
"name": "3.5.5 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/d0071a0799f20cc8101730145349ed4487c268dc"
},
{
"name": "3.4.4 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/6ced0fe6b10faa560e410e3ee8d6c82f06c65ea3"
},
{
"name": "3.3.6 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/5f26d4202f5b89664c5c3f3c62086276026ba9a9"
},
{
"name": "3.0.19 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stack buffer overflow in CMS AuthEnvelopedData parsing",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"cveId": "CVE-2025-15467",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading