Subject: Rare project developers
List archive
- From: Alexander Gall <>
- To: mc36 <>
- Cc: Xavier Jeannin <>, "" <>
- Subject: Re: [rare-dev] bulk upgrade of the rare packages
- Date: Fri, 22 Jul 2022 14:21:05 +0200
On Fri, 22 Jul 2022 10:24:27 +0200, mc36 <> said:
> On 7/22/22 10:00, Alexander Gall wrote:
>> On Fri, 22 Jul 2022 08:35:08 +0200, mc36 <> said:
>>> the jvm we're shipping also had several cves, one accepts empty ec
>>> signatures as valid
>>> (CVE-2022-21449), renderinging such signatures are hackable...
>>
>> In contrast, this is actually part of the Nix package
>> collection. However, that jvm is used exclusively to run freerouter
>> and nothing else. How would you assess the impact of this particular
>> vulnerability for that specific purpose? It doesn't look critical to
>> me according to the description:
>> > "This vulnerability applies to Java deployments, typically in clients
>> running sandboxed Java Web Start applications or sandboxed Java
>> applets, that load and run untrusted code (e.g., code that comes from
>> the internet) and rely on the Java sandbox for security"
>>
> so it was a missing emptyness check in the very core of ec signature
> verification,
> affecting everything that uses that... most notably the tls handshake is
> the most
> prominent example, but everything that does an ec verify operation is
> affected...
CVE-2022-21449 appears to not affect OpenJDK 14 (what we currently
use) according to
https://openjdk.org/groups/vulnerability/advisories/2022-04-19. Can
you confirm this?
--
Alex
- [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, Alexander Gall, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, Alexander Gall, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, Alexander Gall, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, Alexander Gall, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, Alexander Gall, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, Alexander Gall, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, Alexander Gall, 07/27/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/27/2022
- Re: [rare-dev] bulk upgrade of the rare packages, Alexander Gall, 07/29/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/29/2022
- Re: [rare-dev] bulk upgrade of the rare packages, Alexander Gall, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, Alexander Gall, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, Alexander Gall, 07/22/2022
Archive powered by MHonArc 2.6.19.