-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 1d1d8d9
Showing
25 changed files
with
1,826 additions
and
0 deletions.
There are no files selected for viewing
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
<!DOCTYPE HTML><html><html lang="en"><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="assets/css/default.css"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="Haskell Security advisories"><title>Haskell Security advisories</title></head><body><div class="nav-bar"><ul class="items"><li class><a href="by-dates.html">by date</a></li><li class><a href="by-packages.html">by package</a></li></ul></div><h1>Advisories list</h1><div class="content"><pre><code class="language-toml">[advisory] | ||
id = "HSEC-2023-0001" | ||
cwe = [328, 400] | ||
keywords = ["json", "dos", "historical"] | ||
aliases = ["CVE-2022-3433"] | ||
|
||
[[affected]] | ||
package = "aeson" | ||
cvss = "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" | ||
|
||
[[affected.versions]] | ||
introduced = "0.4.0.0" | ||
fixed = "2.0.1.0" | ||
|
||
[[references]] | ||
type = "ARTICLE" | ||
url = "https://cs-syd.eu/posts/2021-09-11-json-vulnerability" | ||
[[references]] | ||
type = "ARTICLE" | ||
url = "https://frasertweedale.github.io/blog-fp/posts/2021-10-12-aeson-hash-flooding-protection.html" | ||
[[references]] | ||
type = "DISCUSSION" | ||
url = "https://github.com/haskell/aeson/issues/864" | ||
</code></pre> | ||
<h1>Hash flooding vulnerability in aeson</h1> | ||
<p><em>aeson</em> was vulnerable to hash flooding (a.k.a. hash DoS). The | ||
issue is a consequence of the HashMap implementation from | ||
<em>unordered-containers</em>. It results in a denial of service through | ||
CPU consumption. This technique has been used in real-world attacks | ||
against a variety of languages, libraries and frameworks over the | ||
years.</p> | ||
</div><footer><div class="HF">This site is a project of <a href="https://haskell.foundation" target="_blank" rel="noopener noreferrer">The Haskell Foundation</a>.</div></footer></body></html></html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
<!DOCTYPE HTML><html><html lang="en"><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="assets/css/default.css"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="Haskell Security advisories"><title>Haskell Security advisories</title></head><body><div class="nav-bar"><ul class="items"><li class><a href="by-dates.html">by date</a></li><li class><a href="by-packages.html">by package</a></li></ul></div><h1>Advisories list</h1><div class="content"><pre><code class="language-toml">[advisory] | ||
id = "HSEC-2023-0002" | ||
cwe = [347] | ||
keywords = ["crypto", "historical"] | ||
aliases = ["CVE-2022-31053"] | ||
related = ["GHSA-75rw-34q6-72cr"] | ||
|
||
[[affected]] | ||
package = "biscuit-haskell" | ||
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" | ||
[[affected.versions]] | ||
introduced = "0.1.0.0" | ||
fixed = "0.2.0.0" | ||
|
||
[[references]] | ||
type = "REPORT" | ||
url = "https://eprint.iacr.org/2020/1484" | ||
[[references]] | ||
type = "ADVISORY" | ||
url = "https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr" | ||
|
||
</code></pre> | ||
<h1>Improper Verification of Cryptographic Signature</h1> | ||
<p>The Biscuit specification version 1 contains a vulnerable algorithm that allows | ||
malicious actors to forge valid Γ-signatures. Such an attack would allow an | ||
attacker to create a token with any access level. The version 2 of the | ||
specification mandates a different algorithm than gamma signatures and as such | ||
is not affected by this vulnerability.</p> | ||
</div><footer><div class="HF">This site is a project of <a href="https://haskell.foundation" target="_blank" rel="noopener noreferrer">The Haskell Foundation</a>.</div></footer></body></html></html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
<!DOCTYPE HTML><html><html lang="en"><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="assets/css/default.css"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="Haskell Security advisories"><title>Haskell Security advisories</title></head><body><div class="nav-bar"><ul class="items"><li class><a href="by-dates.html">by date</a></li><li class><a href="by-packages.html">by package</a></li></ul></div><h1>Advisories list</h1><div class="content"><pre><code class="language-toml">[advisory] | ||
id = "HSEC-2023-0003" | ||
cwe = [94] | ||
keywords = ["code", "injection", "historical"] | ||
aliases = ["CVE-2013-1436"] | ||
|
||
[[affected]] | ||
package = "xmonad-contrib" | ||
cvss = "AV:N/AC:L/Au:N/C:P/I:P/A:P" | ||
[[affected.versions]] | ||
introduced = "0.5" | ||
fixed = "0.11.2" | ||
|
||
[[references]] | ||
type = "ADVISORY" | ||
url = "https://security.gentoo.org/glsa/201405-28" | ||
[[references]] | ||
type = "DISCUSSION" | ||
url = "http://www.openwall.com/lists/oss-security/2013/07/26/5" | ||
[[references]] | ||
type = "FIX" | ||
url = "https://github.com/xmonad/xmonad-contrib/commit/d3b2a01e3d01ac628e7a3139dd55becbfa37cf51" | ||
</code></pre> | ||
<h1>code injection in <em>xmonad-contrib</em></h1> | ||
<p>The <code>XMonad.Hooks.DynamicLog</code> module in <em>xmonad-contrib</em> before | ||
<strong>0.11.2</strong> allows remote attackers to execute arbitrary commands via a | ||
web page title, which activates the commands when the user clicks on | ||
the xmobar window title, as demonstrated using an action tag.</p> | ||
</div><footer><div class="HF">This site is a project of <a href="https://haskell.foundation" target="_blank" rel="noopener noreferrer">The Haskell Foundation</a>.</div></footer></body></html></html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
<!DOCTYPE HTML><html><html lang="en"><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="assets/css/default.css"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="Haskell Security advisories"><title>Haskell Security advisories</title></head><body><div class="nav-bar"><ul class="items"><li class><a href="by-dates.html">by date</a></li><li class><a href="by-packages.html">by package</a></li></ul></div><h1>Advisories list</h1><div class="content"><pre><code class="language-toml">[advisory] | ||
id = "HSEC-2023-0004" | ||
cwe = [776] | ||
keywords = ["xml", "dos", "historical"] | ||
aliases = ["CVE-2021-4249", "VDB-216204"] | ||
|
||
[[affected]] | ||
package = "xml-conduit" | ||
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" | ||
|
||
[[affected.versions]] | ||
introduced = "0.5.0" | ||
fixed = "1.9.1.0" | ||
|
||
[[references]] | ||
type = "FIX" | ||
url = "https://github.com/snoyberg/xml/pull/161" | ||
[[references]] | ||
type = "FIX" | ||
url = "https://github.com/snoyberg/xml/commit/4be1021791dcdee8b164d239433a2043dc0939ea" | ||
</code></pre> | ||
<h1>xml-conduit unbounded entity expansion</h1> | ||
<p>A vulnerability was found in <em>xml-conduit</em>. It has been classified | ||
as problematic. Affected is an unknown function of the file | ||
<code>xml-conduit/src/Text/XML/Stream/Parse.hs</code> of the component DOCTYPE | ||
Entity Expansion Handler. The manipulation leads to infinite loop. | ||
It is possible to launch the attack remotely. Upgrading to version | ||
1.9.1.0 is able to address this issue. The name of the patch is | ||
<code>4be1021791dcdee8b164d239433a2043dc0939ea</code>. It is recommended to | ||
upgrade the affected component.</p> | ||
</div><footer><div class="HF">This site is a project of <a href="https://haskell.foundation" target="_blank" rel="noopener noreferrer">The Haskell Foundation</a>.</div></footer></body></html></html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
<!DOCTYPE HTML><html><html lang="en"><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="assets/css/default.css"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="Haskell Security advisories"><title>Haskell Security advisories</title></head><body><div class="nav-bar"><ul class="items"><li class><a href="by-dates.html">by date</a></li><li class><a href="by-packages.html">by package</a></li></ul></div><h1>Advisories list</h1><div class="content"><pre><code class="language-toml">[advisory] | ||
id = "HSEC-2023-0005" | ||
cwe = [295] | ||
keywords = ["x509", "pki", "mitm", "historical"] | ||
aliases = ["CVE-2013-0243"] | ||
|
||
[[affected]] | ||
package = "tls-extra" | ||
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" | ||
|
||
[[affected.versions]] | ||
introduced = "0.1.0" | ||
fixed = "0.4.6.1" | ||
|
||
[[references]] | ||
type = "DISCUSSION" | ||
url = "https://www.openwall.com/lists/oss-security/2013/01/30/6" | ||
[[references]] | ||
type = "REPORT" | ||
url = "https://github.com/haskell-tls/hs-tls/issues/29" | ||
[[references]] | ||
type = "FIX" | ||
url = "https://github.com/haskell-tls/hs-tls/commit/15885c0649ceabd2f4d2913df8ac6dc63d6b3b37" | ||
</code></pre> | ||
<h1>tls-extra: certificate validation does not check Basic Constraints</h1> | ||
<p><em>tls-extra</em> does not check the Basic Constraints extension of a | ||
certificate in certificate chain processing. Any certificate is | ||
treated as a CA certificate. As a consequence, anyone who has a | ||
valid certificate can use it to sign another one (with an arbitrary | ||
subject DN/domain name embedded into it) and have it accepted by | ||
<em>tls</em>. This allows MITM attacks on TLS connections.</p> | ||
</div><footer><div class="HF">This site is a project of <a href="https://haskell.foundation" target="_blank" rel="noopener noreferrer">The Haskell Foundation</a>.</div></footer></body></html></html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
<!DOCTYPE HTML><html><html lang="en"><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="assets/css/default.css"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="Haskell Security advisories"><title>Haskell Security advisories</title></head><body><div class="nav-bar"><ul class="items"><li class><a href="by-dates.html">by date</a></li><li class><a href="by-packages.html">by package</a></li></ul></div><h1>Advisories list</h1><div class="content"><pre><code class="language-toml">[advisory] | ||
id = "HSEC-2023-0006" | ||
cwe = [295] | ||
keywords = ["x509", "pki", "historical"] | ||
|
||
[[affected]] | ||
package = "x509-validation" | ||
cvss = "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" | ||
|
||
[[affected.versions]] | ||
introduced = "1.4.0" | ||
fixed = "1.4.8" | ||
|
||
[[references]] | ||
type = "FIX" | ||
url = "https://github.com/haskell-tls/hs-certificate/commit/06d15dbbc53739314760d8504ca764000770e46e" | ||
</code></pre> | ||
<h1>x509-validation does not enforce pathLenConstraint</h1> | ||
<p><em>x509-validation</em> prior to version 1.4.8 did not enforce the | ||
pathLenConstraint value. Constrained CAs could accidentally (or | ||
deliberately) issue CAs below the maximum depth and | ||
<em>x509-validation</em> would accept certificates issued by the | ||
unauthorised intermediate CAs.</p> | ||
</div><footer><div class="HF">This site is a project of <a href="https://haskell.foundation" target="_blank" rel="noopener noreferrer">The Haskell Foundation</a>.</div></footer></body></html></html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
<!DOCTYPE HTML><html><html lang="en"><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="assets/css/default.css"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="Haskell Security advisories"><title>Haskell Security advisories</title></head><body><div class="nav-bar"><ul class="items"><li class><a href="by-dates.html">by date</a></li><li class><a href="by-packages.html">by package</a></li></ul></div><h1>Advisories list</h1><div class="content"><pre><code class="language-toml">[advisory] | ||
id = "HSEC-2023-0007" | ||
cwe = [1284, 789] | ||
keywords = ["toml", "parser", "dos"] | ||
|
||
[[affected]] | ||
package = "base" | ||
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" | ||
[[affected.versions]] | ||
# it was introduced earlier, but this is the earliest version on Hackage | ||
introduced = "3.0.3.1" | ||
|
||
[[affected]] | ||
package = "toml-reader" | ||
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" | ||
[[affected.versions]] | ||
introduced = "0.1.0.0" | ||
fixed = "0.2.0.0" | ||
|
||
[[references]] | ||
type = "REPORT" | ||
url = "https://gitlab.haskell.org/ghc/ghc/-/issues/23538" | ||
[[references]] | ||
type = "REPORT" | ||
url = "https://github.com/brandonchinn178/toml-reader/issues/8" | ||
[[references]] | ||
type = "FIX" | ||
url = "https://github.com/brandonchinn178/toml-reader/pull/9" | ||
|
||
</code></pre> | ||
<h1><code>readFloat</code>: memory exhaustion with large exponent</h1> | ||
<p><code>Numeric.readFloat</code> takes time and memory linear in the size of the | ||
number <em>denoted</em> by the input string. In particular, processing a | ||
number expressed in scientific notation with a very large exponent | ||
could cause a denial of service. The slowdown is observable on a | ||
modern machine running GHC 9.4.4:</p> | ||
<pre><code>ghci> import qualified Numeric | ||
ghci> Numeric.readFloat "1e1000000" -- near instantaneous | ||
[(Infinity,"")] | ||
ghci> Numeric.readFloat "1e10000000" -- perceptible pause | ||
[(Infinity,"")] | ||
ghci> Numeric.readFloat "1e100000000" -- ~ 3 seconds | ||
[(Infinity,"")] | ||
ghci> Numeric.readFloat "1e1000000000" -- ~ 35 seconds | ||
[(Infinity,"")] | ||
</code></pre> | ||
<h2>In <em>base</em></h2> | ||
<p><code>Numeric.readFloat</code> is defined for all <code>RealFrac a => a</code>:</p> | ||
<pre><code class="language-haskell">readFloat :: RealFrac a => ReadS a | ||
</code></pre> | ||
<p>The <code>RealFrac</code> type class does not express any bounds on the size of | ||
values representable in the types for which instances exist, so | ||
bounds checking is not possible (in this <em>generic</em> function). | ||
<code>readFloat</code> uses to <code>Text.Read.Lex.numberToRational</code> which, among | ||
other things, calculates <code>10 ^ exponent</code>, which seems to take linear | ||
time and memory.</p> | ||
<p><strong>Mitigation:</strong> use <code>read</code>. The <code>Read</code> instances for <code>Float</code> and | ||
<code>Double</code> perform bounds checks on the exponent, via | ||
<code>Text.Read.Lex.numberToRangedRational</code>.</p> | ||
<h2>In <em>toml-reader</em></h2> | ||
<p>The issue was detected in <em>toml-reader</em> version 0.1.0.0, and | ||
mitigated in version 0.2.0.0 by immediately returning <code>Infinity</code> | ||
when the exponent is large enough that there's no reason to process | ||
it.</p> | ||
</div><footer><div class="HF">This site is a project of <a href="https://haskell.foundation" target="_blank" rel="noopener noreferrer">The Haskell Foundation</a>.</div></footer></body></html></html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
<!DOCTYPE HTML><html><html lang="en"><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="assets/css/default.css"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="Haskell Security advisories"><title>Haskell Security advisories</title></head><body><div class="nav-bar"><ul class="items"><li class><a href="by-dates.html">by date</a></li><li class><a href="by-packages.html">by package</a></li></ul></div><h1>Advisories list</h1><div class="content"><pre><code class="language-toml">[advisory] | ||
id = "HSEC-2023-0008" | ||
cwe = [87] | ||
keywords = ["web", "xss", "historical"] | ||
aliases = ["CVE-2021-46888"] | ||
|
||
[[affected]] | ||
package = "hledger-web" | ||
cvss = "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" | ||
[[affected.versions]] | ||
introduced = "0.24" | ||
fixed = "1.23" | ||
|
||
[[references]] | ||
type = "REPORT" | ||
url = "https://github.com/simonmichael/hledger/issues/1525" | ||
[[references]] | ||
type = "INTRODUCED" | ||
url = "https://github.com/simonmichael/hledger/commit/ec51d28839b2910eea360b1b8c72904b51cf7821" | ||
[[references]] | ||
type = "EVIDENCE" | ||
url = "https://www.youtube.com/watch?v=QnRO-VkfIic" | ||
[[references]] | ||
type = "FIX" | ||
url = "https://github.com/simonmichael/hledger/pull/1663" | ||
|
||
</code></pre> | ||
<h1>Stored XSS in <em>hledger-web</em></h1> | ||
<p>An issue was discovered in <em>hledger-web</em> < 1.23. A Stored Cross-Site | ||
Scripting (XSS) vulnerability exists in <code>toBloodhoundJson</code> that | ||
allows an attacker to execute JavaScript by encoding user-controlled | ||
values in a payload with base64 and parsing them with the <code>atob</code> | ||
function.</p> | ||
<p><em>hledger-web</em> forms sanitise obvious JavaScript, but not obfuscated | ||
JavaScript (see <a href="https://owasp.org/www-community/xss-filter-evasion-cheatsheet">OWASP Filter Evasion Cheat Sheet</a>). | ||
This means <em>hledger-web</em> instances, especially anonymously-writable | ||
ones like <code>demo.hledger.org</code>, could be loaded with malicious | ||
JavaScript to be executed by subsequent visitors.</p> | ||
<p>Reported by Gaspard Baye and Hamidullah Muslih. Fix by Arsen | ||
Arsenović.</p> | ||
</div><footer><div class="HF">This site is a project of <a href="https://haskell.foundation" target="_blank" rel="noopener noreferrer">The Haskell Foundation</a>.</div></footer></body></html></html> |
Oops, something went wrong.