[automatic] Publish and update 6 advisories for 6 packages

advisories/published/2025/JLSEC-0000-mntxlh18v-1k4mtfv.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.4"
+id = "JLSEC-0000-mntxlh18v-1k4mtfv"
+modified = 2025-12-03T03:31:16.495Z
+upstream = ["CVE-2022-2509"]
+references = ["https://access.redhat.com/security/cve/CVE-2022-2509", "https://lists.debian.org/debian-lts-announce/2022/08/msg00002.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FL27JS3VM74YEQU7PGB62USO3KSBYZX/", "https://lists.gnupg.org/pipermail/gnutls-help/2022-July/004746.html", "https://www.debian.org/security/2022/dsa-5203", "https://access.redhat.com/security/cve/CVE-2022-2509", "https://lists.debian.org/debian-lts-announce/2022/08/msg00002.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FL27JS3VM74YEQU7PGB62USO3KSBYZX/", "https://lists.gnupg.org/pipermail/gnutls-help/2022-July/004746.html", "https://www.debian.org/security/2022/dsa-5203"]
+
+[[affected]]
+pkg = "GnuTLS_jll"
+ranges = ["< 3.7.8+0"]
+
+[[jlsec_sources]]
+id = "CVE-2022-2509"
+imported = 2025-12-03T03:31:16.495Z
+modified = 2025-12-02T21:15:49.750Z
+published = 2022-08-01T14:15:09.890Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2022-2509"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2022-2509"
+```
+
+# A vulnerability found in gnutls
+
+A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.
+

advisories/published/2025/JLSEC-0000-mntxlh1dk-10ovesz.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.4"
+id = "JLSEC-0000-mntxlh1dk-10ovesz"
+modified = 2025-12-03T03:31:16.664Z
+upstream = ["CVE-2022-4904"]
+references = ["https://bugzilla.redhat.com/show_bug.cgi?id=2168631", "https://github.com/c-ares/c-ares/issues/496", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33LDNS6RPOPP36Z4MPWXALUQZXJCWJS2/", "https://security.gentoo.org/glsa/202401-02", "https://bugzilla.redhat.com/show_bug.cgi?id=2168631", "https://github.com/c-ares/c-ares/issues/496", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33LDNS6RPOPP36Z4MPWXALUQZXJCWJS2/", "https://security.gentoo.org/glsa/202401-02"]
+
+[[affected]]
+pkg = "Cares_jll"
+ranges = ["< 1.32.2+0"]
+
+[[jlsec_sources]]
+id = "CVE-2022-4904"
+imported = 2025-12-03T03:31:16.664Z
+modified = 2025-12-02T21:15:50.887Z
+published = 2023-03-06T23:15:11.390Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2022-4904"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2022-4904"
+```
+
+# A flaw was found in the c-ares package
+
+A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
+

advisories/published/2025/JLSEC-0000-mntxlh1yn-1g0wvdf.md

@@ -0,0 +1,63 @@
+```toml
+schema_version = "1.7.4"
+id = "JLSEC-0000-mntxlh1yn-1g0wvdf"
+modified = 2025-12-03T03:31:17.423Z
+upstream = ["CVE-2023-5363"]
+references = ["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee", "https://www.openssl.org/news/secadv/20231024.txt", "http://www.openwall.com/lists/oss-security/2023/10/24/1", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee", "https://security.netapp.com/advisory/ntap-20231027-0010/", "https://security.netapp.com/advisory/ntap-20240201-0003/", "https://security.netapp.com/advisory/ntap-20240201-0004/", "https://security.netapp.com/advisory/ntap-20241108-0002/", "https://www.debian.org/security/2023/dsa-5532", "https://www.openssl.org/news/secadv/20231024.txt"]
+
+[[affected]]
+pkg = "OpenSSL_jll"
+ranges = [">= 3.0.8+0, < 3.0.12+0"]
+
+[[jlsec_sources]]
+id = "CVE-2023-5363"
+imported = 2025-12-03T03:31:17.423Z
+modified = 2025-12-02T20:15:48.537Z
+published = 2023-10-25T18:17:43.613Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-5363"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2023-5363"
+```
+
+# Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) len...
+
+Issue summary: A bug has been identified in the processing of key and
+initialisation vector (IV) lengths.  This can lead to potential truncation
+or overruns during the initialisation of some symmetric ciphers.
+
+Impact summary: A truncation in the IV can result in non-uniqueness,
+which could result in loss of confidentiality for some cipher modes.
+
+When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or
+EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after
+the key and IV have been established.  Any alterations to the key length,
+via the "keylen" parameter or the IV length, via the "ivlen" parameter,
+within the OSSL_PARAM array will not take effect as intended, potentially
+causing truncation or overreading of these values.  The following ciphers
+and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.
+
+For the CCM, GCM and OCB cipher modes, truncation of the IV can result in
+loss of confidentiality.  For example, when following NIST's SP 800-38D
+section 8.2.1 guidance for constructing a deterministic IV for AES in
+GCM mode, truncation of the counter portion could lead to IV reuse.
+
+Both truncations and overruns of the key and overruns of the IV will
+produce incorrect results and could, in some cases, trigger a memory
+exception.  However, these issues are not currently assessed as security
+critical.
+
+Changing the key and/or IV lengths is not considered to be a common operation
+and the vulnerable API was recently introduced. Furthermore it is likely that
+application developers will have spotted this problem during testing since
+decryption would fail unless both peers in the communication were similarly
+vulnerable. For these reasons we expect the probability of an application being
+vulnerable to this to be quite low. However if an application is vulnerable then
+this issue is considered very serious. For these reasons we have assessed this
+issue as Moderate severity overall.
+
+The OpenSSL SSL/TLS implementation is not affected by this issue.
+
+The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because
+the issue lies outside of the FIPS provider boundary.
+
+OpenSSL 3.1 and 3.0 are vulnerable to this issue.
+

advisories/published/2025/JLSEC-0000-mntxlh1zt-kyxv65.md

@@ -0,0 +1,58 @@
+```toml
+schema_version = "1.7.4"
+id = "JLSEC-0000-mntxlh1zt-kyxv65"
+modified = 2025-12-03T03:31:17.465Z
+upstream = ["CVE-2023-5678"]
+references = ["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", "https://www.openssl.org/news/secadv/20231106.txt", "http://www.openwall.com/lists/oss-security/2024/03/11/1", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", "https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html", "https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html", "https://security.netapp.com/advisory/ntap-20231130-0010/", "https://www.openssl.org/news/secadv/20231106.txt"]
+
+[[affected]]
+pkg = "OpenSSL_jll"
+ranges = ["< 3.0.13+0"]
+[[affected]]
+pkg = "Openresty_jll"
+ranges = ["< 1.27.1+0"]
+
+[[jlsec_sources]]
+id = "CVE-2023-5678"
+imported = 2025-12-03T03:31:17.465Z
+modified = 2025-12-02T20:15:49.157Z
+published = 2023-11-06T16:15:42.670Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-5678"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2023-5678"
+```
+
+# Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys ...
+
+Issue summary: Generating excessively long X9.42 DH keys or checking
+excessively long X9.42 DH keys or parameters may be very slow.
+
+Impact summary: Applications that use the functions DH_generate_key() to
+generate an X9.42 DH key may experience long delays.  Likewise, applications
+that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
+to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
+Where the key or parameters that are being checked have been obtained from
+an untrusted source this may lead to a Denial of Service.
+
+While DH_check() performs all the necessary checks (as of CVE-2023-3817),
+DH_check_pub_key() doesn't make any of these checks, and is therefore
+vulnerable for excessively large P and Q parameters.
+
+Likewise, while DH_generate_key() performs a check for an excessively large
+P, it doesn't check for an excessively large Q.
+
+An application that calls DH_generate_key() or DH_check_pub_key() and
+supplies a key or parameters obtained from an untrusted source could be
+vulnerable to a Denial of Service attack.
+
+DH_generate_key() and DH_check_pub_key() are also called by a number of
+other OpenSSL functions.  An application calling any of those other
+functions may similarly be affected.  The other functions affected by this
+are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().
+
+Also vulnerable are the OpenSSL pkey command line application when using the
+"-pubcheck" option, as well as the OpenSSL genpkey command line application.
+
+The OpenSSL SSL/TLS implementation is not affected by this issue.
+
+The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
+

advisories/published/2025/JLSEC-2025-217.md

@@ -8,12 +8,12 @@ references = ["https://github.com/ARMmbed/mbedtls/issues/5136", "https://lists.d
 
 [[affected]]
 pkg = "MbedTLS_jll"
-ranges = ["< 2.28.0+0"]
+ranges = ["*"]
 
 [[jlsec_sources]]
 id = "CVE-2021-43666"
-imported = 2025-11-20T23:04:01.828Z
-modified = 2025-11-03T20:15:51.127Z
+imported = 2025-12-03T03:31:15.687Z
+modified = 2025-12-02T21:15:49.503Z
 published = 2022-03-24T18:15:08.333Z
 url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-43666"
 html_url = "https://nvd.nist.gov/vuln/detail/CVE-2021-43666"

advisories/published/2025/JLSEC-2025-72.md

@@ -12,8 +12,8 @@ ranges = ["< 2.9.12+0"]
 
 [[jlsec_sources]]
 id = "CVE-2021-3517"
-imported = 2025-10-28T18:09:07.779Z
-modified = 2024-11-21T06:21:44.107Z
+imported = 2025-12-03T03:31:13.167Z
+modified = 2025-12-02T22:16:07.097Z
 published = 2021-05-19T14:15:07.553Z
 url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-3517"
 html_url = "https://nvd.nist.gov/vuln/detail/CVE-2021-3517"