Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker
Commits: 4da981b2 by Ola Lundqvist at 2024-03-05T00:08:30+01:00 Concluded that CVE-2024-25768 is a minor issue. The issue occurs if a null list buffer is provided but a non-zero length of that buffer is provided. In opendmarc itself this will never happen because the list buffer is always provided with null value and zero length. When opendmarc is used as a library it is reasonable to assume that providing a null list and non-zero value for such a list is a programming error. There are no reverse dependencies for libopendmarc-dev in buster. If someone builds an application that have such an error it is likely going to have other more severe problems. It is still a vulnerability but the vulnerability is more in the application calling this function than something else. - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -2653,6 +2653,7 @@ CVE-2024-25770 (libming 0.4.8 contains a memory leak vulnerability in /libming/s - ming <removed> CVE-2024-25768 (OpenDMARC 1.4.2 contains a null pointer dereference vulnerability in / ...) - opendmarc <unfixed> + [buster] - opendmarc <no-dsa> (Minor issue) NOTE: https://github.com/LuMingYinDetect/OpenDMARC_defects/blob/main/OpenDMARC_detect_1.md CVE-2024-25767 (nanomq 0.21.2 contains a Use-After-Free vulnerability in /nanomq/nng/s ...) NOT-FOR-US: NanoMQ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4da981b21fb6ef71f9d3230708c2589372934e34 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4da981b21fb6ef71f9d3230708c2589372934e34 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits