CVS commit: pkgsrc/doc

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/doc
From: "Jan Schaumann" <jschauma%netbsd.org@localhost>
Date: Sat, 3 May 2025 20:18:12 +0000

Module Name:    pkgsrc
Committed By:   jschauma
Date:           Sat May  3 20:18:12 UTC 2025

Modified Files:
        pkgsrc/doc: pkg-vulnerabilities

Log Message:
mark liboqs<0.13.0 as vulnerable to an information-disclosure vulnerability

The vulnerability is in the HQC reference implementation discussed in the
link added here.  Note that liboqs had previously provided a security advisory
for another HQC vulnerability (CVE-2024-54137):
https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-gpf4-vrrw-r8v7

However, the Open Quantum Safe team has not (yet) released a security advisory
for version 0.12.0.  Since all versions prior to 0.13.0 are vulnerable to the
discussed decryption oracle, I'm only adding a single entry and pointing to
the discussion on pqc-forum; if/when OQS releases a security advisory
(see https://github.com/open-quantum-safe/liboqs/issues/2132), then I'll update
the vulnerabilities file here accordingly.


To generate a diff of this commit:
cvs rdiff -u -r1.354 -r1.355 pkgsrc/doc/pkg-vulnerabilities

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/doc/pkg-vulnerabilities
diff -u pkgsrc/doc/pkg-vulnerabilities:1.354 pkgsrc/doc/pkg-vulnerabilities:1.355
--- pkgsrc/doc/pkg-vulnerabilities:1.354        Wed Apr 30 17:36:48 2025
+++ pkgsrc/doc/pkg-vulnerabilities      Sat May  3 20:18:12 2025
@@ -1,4 +1,4 @@
-# $NetBSD: pkg-vulnerabilities,v 1.354 2025/04/30 17:36:48 wiz Exp $
+# $NetBSD: pkg-vulnerabilities,v 1.355 2025/05/03 20:18:12 jschauma Exp $
 #
 #FORMAT 1.0.0
 #
@@ -26173,3 +26173,4 @@ mailman<2.1.39  remote-code-execution           ht
 fcgi<2.4.5     integer-overflow        https://nvd.nist.gov/vuln/detail/CVE-2025-23016
 py{39,310,311,312,313}-h11<0.16.0      request-smuggling       https://nvd.nist.gov/vuln/detail/CVE-2025-43859
 dnsdist<1.9.9  use-after-free          https://nvd.nist.gov/vuln/detail/CVE-2025-30194
+liboqs<0.13.0  information-disclosure  https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Wiu4ZQo3fP8

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/textproc/py-pdf
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/textproc/py-pdf
Indexes:

Home | Main Index | Thread Index | Old Index