Skip to content

Commit

Permalink
deploy: bdaf454
Browse files Browse the repository at this point in the history
  • Loading branch information
frasertweedale committed Jul 30, 2024
0 parents commit 1d1d8d9
Show file tree
Hide file tree
Showing 25 changed files with 1,826 additions and 0 deletions.
Empty file added .nojekyll
Empty file.
32 changes: 32 additions & 0 deletions advisory/HSEC-2023-0001.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
<!DOCTYPE HTML><html><html lang="en"><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="assets/css/default.css"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="Haskell Security advisories"><title>Haskell Security advisories</title></head><body><div class="nav-bar"><ul class="items"><li class><a href="by-dates.html">by date</a></li><li class><a href="by-packages.html">by package</a></li></ul></div><h1>Advisories list</h1><div class="content"><pre><code class="language-toml">[advisory]
id = &quot;HSEC-2023-0001&quot;
cwe = [328, 400]
keywords = [&quot;json&quot;, &quot;dos&quot;, &quot;historical&quot;]
aliases = [&quot;CVE-2022-3433&quot;]

[[affected]]
package = &quot;aeson&quot;
cvss = &quot;CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H&quot;

[[affected.versions]]
introduced = &quot;0.4.0.0&quot;
fixed = &quot;2.0.1.0&quot;

[[references]]
type = &quot;ARTICLE&quot;
url = &quot;https://cs-syd.eu/posts/2021-09-11-json-vulnerability&quot;
[[references]]
type = &quot;ARTICLE&quot;
url = &quot;https://frasertweedale.github.io/blog-fp/posts/2021-10-12-aeson-hash-flooding-protection.html&quot;
[[references]]
type = &quot;DISCUSSION&quot;
url = &quot;https://github.com/haskell/aeson/issues/864&quot;
</code></pre>
<h1>Hash flooding vulnerability in aeson</h1>
<p><em>aeson</em> was vulnerable to hash flooding (a.k.a. hash DoS). The
issue is a consequence of the HashMap implementation from
<em>unordered-containers</em>. It results in a denial of service through
CPU consumption. This technique has been used in real-world attacks
against a variety of languages, libraries and frameworks over the
years.</p>
</div><footer><div class="HF">This site is a project of <a href="https://haskell.foundation" target="_blank" rel="noopener noreferrer">The Haskell Foundation</a>.</div></footer></body></html></html>
29 changes: 29 additions & 0 deletions advisory/HSEC-2023-0002.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
<!DOCTYPE HTML><html><html lang="en"><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="assets/css/default.css"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="Haskell Security advisories"><title>Haskell Security advisories</title></head><body><div class="nav-bar"><ul class="items"><li class><a href="by-dates.html">by date</a></li><li class><a href="by-packages.html">by package</a></li></ul></div><h1>Advisories list</h1><div class="content"><pre><code class="language-toml">[advisory]
id = &quot;HSEC-2023-0002&quot;
cwe = [347]
keywords = [&quot;crypto&quot;, &quot;historical&quot;]
aliases = [&quot;CVE-2022-31053&quot;]
related = [&quot;GHSA-75rw-34q6-72cr&quot;]

[[affected]]
package = &quot;biscuit-haskell&quot;
cvss = &quot;CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&quot;
[[affected.versions]]
introduced = &quot;0.1.0.0&quot;
fixed = &quot;0.2.0.0&quot;

[[references]]
type = &quot;REPORT&quot;
url = &quot;https://eprint.iacr.org/2020/1484&quot;
[[references]]
type = &quot;ADVISORY&quot;
url = &quot;https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr&quot;

</code></pre>
<h1>Improper Verification of Cryptographic Signature</h1>
<p>The Biscuit specification version 1 contains a vulnerable algorithm that allows
malicious actors to forge valid Γ-signatures. Such an attack would allow an
attacker to create a token with any access level. The version 2 of the
specification mandates a different algorithm than gamma signatures and as such
is not affected by this vulnerability.</p>
</div><footer><div class="HF">This site is a project of <a href="https://haskell.foundation" target="_blank" rel="noopener noreferrer">The Haskell Foundation</a>.</div></footer></body></html></html>
29 changes: 29 additions & 0 deletions advisory/HSEC-2023-0003.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
<!DOCTYPE HTML><html><html lang="en"><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="assets/css/default.css"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="Haskell Security advisories"><title>Haskell Security advisories</title></head><body><div class="nav-bar"><ul class="items"><li class><a href="by-dates.html">by date</a></li><li class><a href="by-packages.html">by package</a></li></ul></div><h1>Advisories list</h1><div class="content"><pre><code class="language-toml">[advisory]
id = &quot;HSEC-2023-0003&quot;
cwe = [94]
keywords = [&quot;code&quot;, &quot;injection&quot;, &quot;historical&quot;]
aliases = [&quot;CVE-2013-1436&quot;]

[[affected]]
package = &quot;xmonad-contrib&quot;
cvss = &quot;AV:N/AC:L/Au:N/C:P/I:P/A:P&quot;
[[affected.versions]]
introduced = &quot;0.5&quot;
fixed = &quot;0.11.2&quot;

[[references]]
type = &quot;ADVISORY&quot;
url = &quot;https://security.gentoo.org/glsa/201405-28&quot;
[[references]]
type = &quot;DISCUSSION&quot;
url = &quot;http://www.openwall.com/lists/oss-security/2013/07/26/5&quot;
[[references]]
type = &quot;FIX&quot;
url = &quot;https://github.com/xmonad/xmonad-contrib/commit/d3b2a01e3d01ac628e7a3139dd55becbfa37cf51&quot;
</code></pre>
<h1>code injection in <em>xmonad-contrib</em></h1>
<p>The <code>XMonad.Hooks.DynamicLog</code> module in <em>xmonad-contrib</em> before
<strong>0.11.2</strong> allows remote attackers to execute arbitrary commands via a
web page title, which activates the commands when the user clicks on
the xmobar window title, as demonstrated using an action tag.</p>
</div><footer><div class="HF">This site is a project of <a href="https://haskell.foundation" target="_blank" rel="noopener noreferrer">The Haskell Foundation</a>.</div></footer></body></html></html>
31 changes: 31 additions & 0 deletions advisory/HSEC-2023-0004.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
<!DOCTYPE HTML><html><html lang="en"><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="assets/css/default.css"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="Haskell Security advisories"><title>Haskell Security advisories</title></head><body><div class="nav-bar"><ul class="items"><li class><a href="by-dates.html">by date</a></li><li class><a href="by-packages.html">by package</a></li></ul></div><h1>Advisories list</h1><div class="content"><pre><code class="language-toml">[advisory]
id = &quot;HSEC-2023-0004&quot;
cwe = [776]
keywords = [&quot;xml&quot;, &quot;dos&quot;, &quot;historical&quot;]
aliases = [&quot;CVE-2021-4249&quot;, &quot;VDB-216204&quot;]

[[affected]]
package = &quot;xml-conduit&quot;
cvss = &quot;CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&quot;

[[affected.versions]]
introduced = &quot;0.5.0&quot;
fixed = &quot;1.9.1.0&quot;

[[references]]
type = &quot;FIX&quot;
url = &quot;https://github.com/snoyberg/xml/pull/161&quot;
[[references]]
type = &quot;FIX&quot;
url = &quot;https://github.com/snoyberg/xml/commit/4be1021791dcdee8b164d239433a2043dc0939ea&quot;
</code></pre>
<h1>xml-conduit unbounded entity expansion</h1>
<p>A vulnerability was found in <em>xml-conduit</em>. It has been classified
as problematic. Affected is an unknown function of the file
<code>xml-conduit/src/Text/XML/Stream/Parse.hs</code> of the component DOCTYPE
Entity Expansion Handler. The manipulation leads to infinite loop.
It is possible to launch the attack remotely. Upgrading to version
1.9.1.0 is able to address this issue. The name of the patch is
<code>4be1021791dcdee8b164d239433a2043dc0939ea</code>. It is recommended to
upgrade the affected component.</p>
</div><footer><div class="HF">This site is a project of <a href="https://haskell.foundation" target="_blank" rel="noopener noreferrer">The Haskell Foundation</a>.</div></footer></body></html></html>
32 changes: 32 additions & 0 deletions advisory/HSEC-2023-0005.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
<!DOCTYPE HTML><html><html lang="en"><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="assets/css/default.css"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="Haskell Security advisories"><title>Haskell Security advisories</title></head><body><div class="nav-bar"><ul class="items"><li class><a href="by-dates.html">by date</a></li><li class><a href="by-packages.html">by package</a></li></ul></div><h1>Advisories list</h1><div class="content"><pre><code class="language-toml">[advisory]
id = &quot;HSEC-2023-0005&quot;
cwe = [295]
keywords = [&quot;x509&quot;, &quot;pki&quot;, &quot;mitm&quot;, &quot;historical&quot;]
aliases = [&quot;CVE-2013-0243&quot;]

[[affected]]
package = &quot;tls-extra&quot;
cvss = &quot;CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N&quot;

[[affected.versions]]
introduced = &quot;0.1.0&quot;
fixed = &quot;0.4.6.1&quot;

[[references]]
type = &quot;DISCUSSION&quot;
url = &quot;https://www.openwall.com/lists/oss-security/2013/01/30/6&quot;
[[references]]
type = &quot;REPORT&quot;
url = &quot;https://github.com/haskell-tls/hs-tls/issues/29&quot;
[[references]]
type = &quot;FIX&quot;
url = &quot;https://github.com/haskell-tls/hs-tls/commit/15885c0649ceabd2f4d2913df8ac6dc63d6b3b37&quot;
</code></pre>
<h1>tls-extra: certificate validation does not check Basic Constraints</h1>
<p><em>tls-extra</em> does not check the Basic Constraints extension of a
certificate in certificate chain processing. Any certificate is
treated as a CA certificate. As a consequence, anyone who has a
valid certificate can use it to sign another one (with an arbitrary
subject DN/domain name embedded into it) and have it accepted by
<em>tls</em>. This allows MITM attacks on TLS connections.</p>
</div><footer><div class="HF">This site is a project of <a href="https://haskell.foundation" target="_blank" rel="noopener noreferrer">The Haskell Foundation</a>.</div></footer></body></html></html>
24 changes: 24 additions & 0 deletions advisory/HSEC-2023-0006.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
<!DOCTYPE HTML><html><html lang="en"><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="assets/css/default.css"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="Haskell Security advisories"><title>Haskell Security advisories</title></head><body><div class="nav-bar"><ul class="items"><li class><a href="by-dates.html">by date</a></li><li class><a href="by-packages.html">by package</a></li></ul></div><h1>Advisories list</h1><div class="content"><pre><code class="language-toml">[advisory]
id = &quot;HSEC-2023-0006&quot;
cwe = [295]
keywords = [&quot;x509&quot;, &quot;pki&quot;, &quot;historical&quot;]

[[affected]]
package = &quot;x509-validation&quot;
cvss = &quot;CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N&quot;

[[affected.versions]]
introduced = &quot;1.4.0&quot;
fixed = &quot;1.4.8&quot;

[[references]]
type = &quot;FIX&quot;
url = &quot;https://github.com/haskell-tls/hs-certificate/commit/06d15dbbc53739314760d8504ca764000770e46e&quot;
</code></pre>
<h1>x509-validation does not enforce pathLenConstraint</h1>
<p><em>x509-validation</em> prior to version 1.4.8 did not enforce the
pathLenConstraint value. Constrained CAs could accidentally (or
deliberately) issue CAs below the maximum depth and
<em>x509-validation</em> would accept certificates issued by the
unauthorised intermediate CAs.</p>
</div><footer><div class="HF">This site is a project of <a href="https://haskell.foundation" target="_blank" rel="noopener noreferrer">The Haskell Foundation</a>.</div></footer></body></html></html>
65 changes: 65 additions & 0 deletions advisory/HSEC-2023-0007.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
<!DOCTYPE HTML><html><html lang="en"><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="assets/css/default.css"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="Haskell Security advisories"><title>Haskell Security advisories</title></head><body><div class="nav-bar"><ul class="items"><li class><a href="by-dates.html">by date</a></li><li class><a href="by-packages.html">by package</a></li></ul></div><h1>Advisories list</h1><div class="content"><pre><code class="language-toml">[advisory]
id = &quot;HSEC-2023-0007&quot;
cwe = [1284, 789]
keywords = [&quot;toml&quot;, &quot;parser&quot;, &quot;dos&quot;]

[[affected]]
package = &quot;base&quot;
cvss = &quot;CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&quot;
[[affected.versions]]
# it was introduced earlier, but this is the earliest version on Hackage
introduced = &quot;3.0.3.1&quot;

[[affected]]
package = &quot;toml-reader&quot;
cvss = &quot;CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&quot;
[[affected.versions]]
introduced = &quot;0.1.0.0&quot;
fixed = &quot;0.2.0.0&quot;

[[references]]
type = &quot;REPORT&quot;
url = &quot;https://gitlab.haskell.org/ghc/ghc/-/issues/23538&quot;
[[references]]
type = &quot;REPORT&quot;
url = &quot;https://github.com/brandonchinn178/toml-reader/issues/8&quot;
[[references]]
type = &quot;FIX&quot;
url = &quot;https://github.com/brandonchinn178/toml-reader/pull/9&quot;

</code></pre>
<h1><code>readFloat</code>: memory exhaustion with large exponent</h1>
<p><code>Numeric.readFloat</code> takes time and memory linear in the size of the
number <em>denoted</em> by the input string. In particular, processing a
number expressed in scientific notation with a very large exponent
could cause a denial of service. The slowdown is observable on a
modern machine running GHC 9.4.4:</p>
<pre><code>ghci&gt; import qualified Numeric
ghci&gt; Numeric.readFloat &quot;1e1000000&quot; -- near instantaneous
[(Infinity,&quot;&quot;)]
ghci&gt; Numeric.readFloat &quot;1e10000000&quot; -- perceptible pause
[(Infinity,&quot;&quot;)]
ghci&gt; Numeric.readFloat &quot;1e100000000&quot; -- ~ 3 seconds
[(Infinity,&quot;&quot;)]
ghci&gt; Numeric.readFloat &quot;1e1000000000&quot; -- ~ 35 seconds
[(Infinity,&quot;&quot;)]
</code></pre>
<h2>In <em>base</em></h2>
<p><code>Numeric.readFloat</code> is defined for all <code>RealFrac a =&gt; a</code>:</p>
<pre><code class="language-haskell">readFloat :: RealFrac a =&gt; ReadS a
</code></pre>
<p>The <code>RealFrac</code> type class does not express any bounds on the size of
values representable in the types for which instances exist, so
bounds checking is not possible (in this <em>generic</em> function).
<code>readFloat</code> uses to <code>Text.Read.Lex.numberToRational</code> which, among
other things, calculates <code>10 ^ exponent</code>, which seems to take linear
time and memory.</p>
<p><strong>Mitigation:</strong> use <code>read</code>. The <code>Read</code> instances for <code>Float</code> and
<code>Double</code> perform bounds checks on the exponent, via
<code>Text.Read.Lex.numberToRangedRational</code>.</p>
<h2>In <em>toml-reader</em></h2>
<p>The issue was detected in <em>toml-reader</em> version 0.1.0.0, and
mitigated in version 0.2.0.0 by immediately returning <code>Infinity</code>
when the exponent is large enough that there's no reason to process
it.</p>
</div><footer><div class="HF">This site is a project of <a href="https://haskell.foundation" target="_blank" rel="noopener noreferrer">The Haskell Foundation</a>.</div></footer></body></html></html>
41 changes: 41 additions & 0 deletions advisory/HSEC-2023-0008.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
<!DOCTYPE HTML><html><html lang="en"><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="assets/css/default.css"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="Haskell Security advisories"><title>Haskell Security advisories</title></head><body><div class="nav-bar"><ul class="items"><li class><a href="by-dates.html">by date</a></li><li class><a href="by-packages.html">by package</a></li></ul></div><h1>Advisories list</h1><div class="content"><pre><code class="language-toml">[advisory]
id = &quot;HSEC-2023-0008&quot;
cwe = [87]
keywords = [&quot;web&quot;, &quot;xss&quot;, &quot;historical&quot;]
aliases = [&quot;CVE-2021-46888&quot;]

[[affected]]
package = &quot;hledger-web&quot;
cvss = &quot;CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N&quot;
[[affected.versions]]
introduced = &quot;0.24&quot;
fixed = &quot;1.23&quot;

[[references]]
type = &quot;REPORT&quot;
url = &quot;https://github.com/simonmichael/hledger/issues/1525&quot;
[[references]]
type = &quot;INTRODUCED&quot;
url = &quot;https://github.com/simonmichael/hledger/commit/ec51d28839b2910eea360b1b8c72904b51cf7821&quot;
[[references]]
type = &quot;EVIDENCE&quot;
url = &quot;https://www.youtube.com/watch?v=QnRO-VkfIic&quot;
[[references]]
type = &quot;FIX&quot;
url = &quot;https://github.com/simonmichael/hledger/pull/1663&quot;

</code></pre>
<h1>Stored XSS in <em>hledger-web</em></h1>
<p>An issue was discovered in <em>hledger-web</em> &lt; 1.23. A Stored Cross-Site
Scripting (XSS) vulnerability exists in <code>toBloodhoundJson</code> that
allows an attacker to execute JavaScript by encoding user-controlled
values in a payload with base64 and parsing them with the <code>atob</code>
function.</p>
<p><em>hledger-web</em> forms sanitise obvious JavaScript, but not obfuscated
JavaScript (see <a href="https://owasp.org/www-community/xss-filter-evasion-cheatsheet">OWASP Filter Evasion Cheat Sheet</a>).
This means <em>hledger-web</em> instances, especially anonymously-writable
ones like <code>demo.hledger.org</code>, could be loaded with malicious
JavaScript to be executed by subsequent visitors.</p>
<p>Reported by Gaspard Baye and Hamidullah Muslih. Fix by Arsen
Arsenović.</p>
</div><footer><div class="HF">This site is a project of <a href="https://haskell.foundation" target="_blank" rel="noopener noreferrer">The Haskell Foundation</a>.</div></footer></body></html></html>
Loading

0 comments on commit 1d1d8d9

Please sign in to comment.