Skip to content

Commit

Permalink
deploy: 1f8e569
Browse files Browse the repository at this point in the history
  • Loading branch information
TristanCacqueray committed May 30, 2024
0 parents commit 7569311
Show file tree
Hide file tree
Showing 23 changed files with 1,926 additions and 0 deletions.
Empty file added .nojekyll
Empty file.
44 changes: 44 additions & 0 deletions advisory/HSEC-2023-0001.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
<!DOCTYPE HTML><html><html><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/build/pure-min.css" integrity="sha384-X38yfunGUhNzHpBaEBsWLO+A0HDYOQi8ufWDkZ0k9e0eXz/tH3II7uKZ9msv++Ls" crossorigin="anonymous"><meta name="viewport" content="width=device-width, initial-scale=1"><title>Haskell Security.Advisories.Core</title><style>.advisories, .content {
margin: 1em;
}
a {
text-decoration: none;
}
a:visited {
text-decoration: none;
color: darkblue;
}
pre {
background: lightgrey;
}</style></head><body><div class="pure-u-1"><div class="pure-menu pure-menu-horizontal"><span class="pure-menu-heading pure-menu-link">Advisories list</span><ul class="pure-menu-list"><li class="pure-menu-item"><a href="by-dates.html" class="pure-menu-link">by date</a></li><li class="pure-menu-item"><a href="by-packages.html" class="pure-menu-link">by package</a></li></ul></div></div><div class="content"><div class="pure-u-1"><pre><code class="language-toml">[advisory]
id = &quot;HSEC-2023-0001&quot;
cwe = [328, 400]
keywords = [&quot;json&quot;, &quot;dos&quot;, &quot;historical&quot;]
aliases = [&quot;CVE-2022-3433&quot;]

[[affected]]
package = &quot;aeson&quot;
cvss = &quot;CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H&quot;

[[affected.versions]]
introduced = &quot;0.4.0.0&quot;
fixed = &quot;2.0.1.0&quot;

[[references]]
type = &quot;ARTICLE&quot;
url = &quot;https://cs-syd.eu/posts/2021-09-11-json-vulnerability&quot;
[[references]]
type = &quot;ARTICLE&quot;
url = &quot;https://frasertweedale.github.io/blog-fp/posts/2021-10-12-aeson-hash-flooding-protection.html&quot;
[[references]]
type = &quot;DISCUSSION&quot;
url = &quot;https://github.com/haskell/aeson/issues/864&quot;
</code></pre>
<h1>Hash flooding vulnerability in aeson</h1>
<p><em>aeson</em> was vulnerable to hash flooding (a.k.a. hash DoS). The
issue is a consequence of the HashMap implementation from
<em>unordered-containers</em>. It results in a denial of service through
CPU consumption. This technique has been used in real-world attacks
against a variety of languages, libraries and frameworks over the
years.</p>
</div></div></body></html></html>
41 changes: 41 additions & 0 deletions advisory/HSEC-2023-0002.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
<!DOCTYPE HTML><html><html><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/build/pure-min.css" integrity="sha384-X38yfunGUhNzHpBaEBsWLO+A0HDYOQi8ufWDkZ0k9e0eXz/tH3II7uKZ9msv++Ls" crossorigin="anonymous"><meta name="viewport" content="width=device-width, initial-scale=1"><title>Haskell Security.Advisories.Core</title><style>.advisories, .content {
margin: 1em;
}
a {
text-decoration: none;
}
a:visited {
text-decoration: none;
color: darkblue;
}
pre {
background: lightgrey;
}</style></head><body><div class="pure-u-1"><div class="pure-menu pure-menu-horizontal"><span class="pure-menu-heading pure-menu-link">Advisories list</span><ul class="pure-menu-list"><li class="pure-menu-item"><a href="by-dates.html" class="pure-menu-link">by date</a></li><li class="pure-menu-item"><a href="by-packages.html" class="pure-menu-link">by package</a></li></ul></div></div><div class="content"><div class="pure-u-1"><pre><code class="language-toml">[advisory]
id = &quot;HSEC-2023-0002&quot;
cwe = [347]
keywords = [&quot;crypto&quot;, &quot;historical&quot;]
aliases = [&quot;CVE-2022-31053&quot;]
related = [&quot;GHSA-75rw-34q6-72cr&quot;]

[[affected]]
package = &quot;biscuit-haskell&quot;
cvss = &quot;CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&quot;
[[affected.versions]]
introduced = &quot;0.1.0.0&quot;
fixed = &quot;0.2.0.0&quot;

[[references]]
type = &quot;REPORT&quot;
url = &quot;https://eprint.iacr.org/2020/1484&quot;
[[references]]
type = &quot;ADVISORY&quot;
url = &quot;https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr&quot;

</code></pre>
<h1>Improper Verification of Cryptographic Signature</h1>
<p>The Biscuit specification version 1 contains a vulnerable algorithm that allows
malicious actors to forge valid Γ-signatures. Such an attack would allow an
attacker to create a token with any access level. The version 2 of the
specification mandates a different algorithm than gamma signatures and as such
is not affected by this vulnerability.</p>
</div></div></body></html></html>
41 changes: 41 additions & 0 deletions advisory/HSEC-2023-0003.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
<!DOCTYPE HTML><html><html><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/build/pure-min.css" integrity="sha384-X38yfunGUhNzHpBaEBsWLO+A0HDYOQi8ufWDkZ0k9e0eXz/tH3II7uKZ9msv++Ls" crossorigin="anonymous"><meta name="viewport" content="width=device-width, initial-scale=1"><title>Haskell Security.Advisories.Core</title><style>.advisories, .content {
margin: 1em;
}
a {
text-decoration: none;
}
a:visited {
text-decoration: none;
color: darkblue;
}
pre {
background: lightgrey;
}</style></head><body><div class="pure-u-1"><div class="pure-menu pure-menu-horizontal"><span class="pure-menu-heading pure-menu-link">Advisories list</span><ul class="pure-menu-list"><li class="pure-menu-item"><a href="by-dates.html" class="pure-menu-link">by date</a></li><li class="pure-menu-item"><a href="by-packages.html" class="pure-menu-link">by package</a></li></ul></div></div><div class="content"><div class="pure-u-1"><pre><code class="language-toml">[advisory]
id = &quot;HSEC-2023-0003&quot;
cwe = [94]
keywords = [&quot;code&quot;, &quot;injection&quot;, &quot;historical&quot;]
aliases = [&quot;CVE-2013-1436&quot;]

[[affected]]
package = &quot;xmonad-contrib&quot;
cvss = &quot;CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P&quot;
[[affected.versions]]
introduced = &quot;0.5&quot;
fixed = &quot;0.11.2&quot;

[[references]]
type = &quot;ADVISORY&quot;
url = &quot;https://security.gentoo.org/glsa/201405-28&quot;
[[references]]
type = &quot;DISCUSSION&quot;
url = &quot;http://www.openwall.com/lists/oss-security/2013/07/26/5&quot;
[[references]]
type = &quot;FIX&quot;
url = &quot;https://github.com/xmonad/xmonad-contrib/commit/d3b2a01e3d01ac628e7a3139dd55becbfa37cf51&quot;
</code></pre>
<h1>code injection in <em>xmonad-contrib</em></h1>
<p>The <code>XMonad.Hooks.DynamicLog</code> module in <em>xmonad-contrib</em> before
<strong>0.11.2</strong> allows remote attackers to execute arbitrary commands via a
web page title, which activates the commands when the user clicks on
the xmobar window title, as demonstrated using an action tag.</p>
</div></div></body></html></html>
43 changes: 43 additions & 0 deletions advisory/HSEC-2023-0004.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
<!DOCTYPE HTML><html><html><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/build/pure-min.css" integrity="sha384-X38yfunGUhNzHpBaEBsWLO+A0HDYOQi8ufWDkZ0k9e0eXz/tH3II7uKZ9msv++Ls" crossorigin="anonymous"><meta name="viewport" content="width=device-width, initial-scale=1"><title>Haskell Security.Advisories.Core</title><style>.advisories, .content {
margin: 1em;
}
a {
text-decoration: none;
}
a:visited {
text-decoration: none;
color: darkblue;
}
pre {
background: lightgrey;
}</style></head><body><div class="pure-u-1"><div class="pure-menu pure-menu-horizontal"><span class="pure-menu-heading pure-menu-link">Advisories list</span><ul class="pure-menu-list"><li class="pure-menu-item"><a href="by-dates.html" class="pure-menu-link">by date</a></li><li class="pure-menu-item"><a href="by-packages.html" class="pure-menu-link">by package</a></li></ul></div></div><div class="content"><div class="pure-u-1"><pre><code class="language-toml">[advisory]
id = &quot;HSEC-2023-0004&quot;
cwe = [776]
keywords = [&quot;xml&quot;, &quot;dos&quot;, &quot;historical&quot;]
aliases = [&quot;CVE-2021-4249&quot;, &quot;VDB-216204&quot;]

[[affected]]
package = &quot;xml-conduit&quot;
cvss = &quot;CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&quot;

[[affected.versions]]
introduced = &quot;0.5.0&quot;
fixed = &quot;1.9.1.0&quot;

[[references]]
type = &quot;FIX&quot;
url = &quot;https://github.com/snoyberg/xml/pull/161&quot;
[[references]]
type = &quot;FIX&quot;
url = &quot;https://github.com/snoyberg/xml/commit/4be1021791dcdee8b164d239433a2043dc0939ea&quot;
</code></pre>
<h1>xml-conduit unbounded entity expansion</h1>
<p>A vulnerability was found in <em>xml-conduit</em>. It has been classified
as problematic. Affected is an unknown function of the file
<code>xml-conduit/src/Text/XML/Stream/Parse.hs</code> of the component DOCTYPE
Entity Expansion Handler. The manipulation leads to infinite loop.
It is possible to launch the attack remotely. Upgrading to version
1.9.1.0 is able to address this issue. The name of the patch is
<code>4be1021791dcdee8b164d239433a2043dc0939ea</code>. It is recommended to
upgrade the affected component.</p>
</div></div></body></html></html>
44 changes: 44 additions & 0 deletions advisory/HSEC-2023-0005.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
<!DOCTYPE HTML><html><html><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/build/pure-min.css" integrity="sha384-X38yfunGUhNzHpBaEBsWLO+A0HDYOQi8ufWDkZ0k9e0eXz/tH3II7uKZ9msv++Ls" crossorigin="anonymous"><meta name="viewport" content="width=device-width, initial-scale=1"><title>Haskell Security.Advisories.Core</title><style>.advisories, .content {
margin: 1em;
}
a {
text-decoration: none;
}
a:visited {
text-decoration: none;
color: darkblue;
}
pre {
background: lightgrey;
}</style></head><body><div class="pure-u-1"><div class="pure-menu pure-menu-horizontal"><span class="pure-menu-heading pure-menu-link">Advisories list</span><ul class="pure-menu-list"><li class="pure-menu-item"><a href="by-dates.html" class="pure-menu-link">by date</a></li><li class="pure-menu-item"><a href="by-packages.html" class="pure-menu-link">by package</a></li></ul></div></div><div class="content"><div class="pure-u-1"><pre><code class="language-toml">[advisory]
id = &quot;HSEC-2023-0005&quot;
cwe = [295]
keywords = [&quot;x509&quot;, &quot;pki&quot;, &quot;mitm&quot;, &quot;historical&quot;]
aliases = [&quot;CVE-2013-0243&quot;]

[[affected]]
package = &quot;tls-extra&quot;
cvss = &quot;CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N&quot;

[[affected.versions]]
introduced = &quot;0.1.0&quot;
fixed = &quot;0.4.6.1&quot;

[[references]]
type = &quot;DISCUSSION&quot;
url = &quot;https://www.openwall.com/lists/oss-security/2013/01/30/6&quot;
[[references]]
type = &quot;REPORT&quot;
url = &quot;https://github.com/haskell-tls/hs-tls/issues/29&quot;
[[references]]
type = &quot;FIX&quot;
url = &quot;https://github.com/haskell-tls/hs-tls/commit/15885c0649ceabd2f4d2913df8ac6dc63d6b3b37&quot;
</code></pre>
<h1>tls-extra: certificate validation does not check Basic Constraints</h1>
<p><em>tls-extra</em> does not check the Basic Constraints extension of a
certificate in certificate chain processing. Any certificate is
treated as a CA certificate. As a consequence, anyone who has a
valid certificate can use it to sign another one (with an arbitrary
subject DN/domain name embedded into it) and have it accepted by
<em>tls</em>. This allows MITM attacks on TLS connections.</p>
</div></div></body></html></html>
36 changes: 36 additions & 0 deletions advisory/HSEC-2023-0006.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
<!DOCTYPE HTML><html><html><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/build/pure-min.css" integrity="sha384-X38yfunGUhNzHpBaEBsWLO+A0HDYOQi8ufWDkZ0k9e0eXz/tH3II7uKZ9msv++Ls" crossorigin="anonymous"><meta name="viewport" content="width=device-width, initial-scale=1"><title>Haskell Security.Advisories.Core</title><style>.advisories, .content {
margin: 1em;
}
a {
text-decoration: none;
}
a:visited {
text-decoration: none;
color: darkblue;
}
pre {
background: lightgrey;
}</style></head><body><div class="pure-u-1"><div class="pure-menu pure-menu-horizontal"><span class="pure-menu-heading pure-menu-link">Advisories list</span><ul class="pure-menu-list"><li class="pure-menu-item"><a href="by-dates.html" class="pure-menu-link">by date</a></li><li class="pure-menu-item"><a href="by-packages.html" class="pure-menu-link">by package</a></li></ul></div></div><div class="content"><div class="pure-u-1"><pre><code class="language-toml">[advisory]
id = &quot;HSEC-2023-0006&quot;
cwe = [295]
keywords = [&quot;x509&quot;, &quot;pki&quot;, &quot;historical&quot;]

[[affected]]
package = &quot;x509-validation&quot;
cvss = &quot;CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N&quot;

[[affected.versions]]
introduced = &quot;1.4.0&quot;
fixed = &quot;1.4.8&quot;

[[references]]
type = &quot;FIX&quot;
url = &quot;https://github.com/haskell-tls/hs-certificate/commit/06d15dbbc53739314760d8504ca764000770e46e&quot;
</code></pre>
<h1>x509-validation does not enforce pathLenConstraint</h1>
<p><em>x509-validation</em> prior to version 1.4.8 did not enforce the
pathLenConstraint value. Constrained CAs could accidentally (or
deliberately) issue CAs below the maximum depth and
<em>x509-validation</em> would accept certificates issued by the
unauthorised intermediate CAs.</p>
</div></div></body></html></html>
77 changes: 77 additions & 0 deletions advisory/HSEC-2023-0007.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
<!DOCTYPE HTML><html><html><head><meta charset="UTF-8"><base href=".."><link rel="alternate" type="application/atom+xml" href="https://haskell.github.io/security-advisories/atom.xml"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/build/pure-min.css" integrity="sha384-X38yfunGUhNzHpBaEBsWLO+A0HDYOQi8ufWDkZ0k9e0eXz/tH3II7uKZ9msv++Ls" crossorigin="anonymous"><meta name="viewport" content="width=device-width, initial-scale=1"><title>Haskell Security.Advisories.Core</title><style>.advisories, .content {
margin: 1em;
}
a {
text-decoration: none;
}
a:visited {
text-decoration: none;
color: darkblue;
}
pre {
background: lightgrey;
}</style></head><body><div class="pure-u-1"><div class="pure-menu pure-menu-horizontal"><span class="pure-menu-heading pure-menu-link">Advisories list</span><ul class="pure-menu-list"><li class="pure-menu-item"><a href="by-dates.html" class="pure-menu-link">by date</a></li><li class="pure-menu-item"><a href="by-packages.html" class="pure-menu-link">by package</a></li></ul></div></div><div class="content"><div class="pure-u-1"><pre><code class="language-toml">[advisory]
id = &quot;HSEC-2023-0007&quot;
cwe = [1284, 789]
keywords = [&quot;toml&quot;, &quot;parser&quot;, &quot;dos&quot;]

[[affected]]
package = &quot;base&quot;
cvss = &quot;CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&quot;
[[affected.versions]]
# it was introduced earlier, but this is the earliest version on Hackage
introduced = &quot;3.0.3.1&quot;

[[affected]]
package = &quot;toml-reader&quot;
cvss = &quot;CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&quot;
[[affected.versions]]
introduced = &quot;0.1.0.0&quot;
fixed = &quot;0.2.0.0&quot;

[[references]]
type = &quot;REPORT&quot;
url = &quot;https://gitlab.haskell.org/ghc/ghc/-/issues/23538&quot;
[[references]]
type = &quot;REPORT&quot;
url = &quot;https://github.com/brandonchinn178/toml-reader/issues/8&quot;
[[references]]
type = &quot;FIX&quot;
url = &quot;https://github.com/brandonchinn178/toml-reader/pull/9&quot;

</code></pre>
<h1><code>readFloat</code>: memory exhaustion with large exponent</h1>
<p><code>Numeric.readFloat</code> takes time and memory linear in the size of the
number <em>denoted</em> by the input string. In particular, processing a
number expressed in scientific notation with a very large exponent
could cause a denial of service. The slowdown is observable on a
modern machine running GHC 9.4.4:</p>
<pre><code>ghci&gt; import qualified Numeric
ghci&gt; Numeric.readFloat &quot;1e1000000&quot; -- near instantaneous
[(Infinity,&quot;&quot;)]
ghci&gt; Numeric.readFloat &quot;1e10000000&quot; -- perceptible pause
[(Infinity,&quot;&quot;)]
ghci&gt; Numeric.readFloat &quot;1e100000000&quot; -- ~ 3 seconds
[(Infinity,&quot;&quot;)]
ghci&gt; Numeric.readFloat &quot;1e1000000000&quot; -- ~ 35 seconds
[(Infinity,&quot;&quot;)]
</code></pre>
<h2>In <em>base</em></h2>
<p><code>Numeric.readFloat</code> is defined for all <code>RealFrac a =&gt; a</code>:</p>
<pre><code class="language-haskell">readFloat :: RealFrac a =&gt; ReadS a
</code></pre>
<p>The <code>RealFrac</code> type class does not express any bounds on the size of
values representable in the types for which instances exist, so
bounds checking is not possible (in this <em>generic</em> function).
<code>readFloat</code> uses to <code>Text.Read.Lex.numberToRational</code> which, among
other things, calculates <code>10 ^ exponent</code>, which seems to take linear
time and memory.</p>
<p><strong>Mitigation:</strong> use <code>read</code>. The <code>Read</code> instances for <code>Float</code> and
<code>Double</code> perform bounds checks on the exponent, via
<code>Text.Read.Lex.numberToRangedRational</code>.</p>
<h2>In <em>toml-reader</em></h2>
<p>The issue was detected in <em>toml-reader</em> version 0.1.0.0, and
mitigated in version 0.2.0.0 by immediately returning <code>Infinity</code>
when the exponent is large enough that there's no reason to process
it.</p>
</div></div></body></html></html>
Loading

0 comments on commit 7569311

Please sign in to comment.