[automatic] Publish and update 5 advisories for 5 packages

advisories/published/2025/JLSEC-0000-mnscfiu1l-15wmifx.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mnscfiu1l-15wmifx"
+modified = 2025-10-24T03:21:50.745Z
+upstream = ["CVE-2025-26465"]
+references = ["https://access.redhat.com/errata/RHSA-2025:16823", "https://access.redhat.com/errata/RHSA-2025:3837", "https://access.redhat.com/errata/RHSA-2025:6993", "https://access.redhat.com/errata/RHSA-2025:8385", "https://access.redhat.com/security/cve/CVE-2025-26465", "https://access.redhat.com/solutions/7109879", "https://bugzilla.redhat.com/show_bug.cgi?id=2344780", "https://seclists.org/oss-sec/2025/q1/144", "https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466", "https://bugzilla.suse.com/show_bug.cgi?id=1237040", "https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/008_ssh.patch.sig", "https://lists.debian.org/debian-lts-announce/2025/02/msg00020.html", "https://lists.mindrot.org/pipermail/openssh-unix-announce/2025-February/000161.html", "https://security-tracker.debian.org/tracker/CVE-2025-26465", "https://security.netapp.com/advisory/ntap-20250228-0003/", "https://ubuntu.com/security/CVE-2025-26465", "https://www.openssh.com/releasenotes.html#9.9p2", "https://www.openwall.com/lists/oss-security/2025/02/18/1", "https://www.openwall.com/lists/oss-security/2025/02/18/4", "https://www.theregister.com/2025/02/18/openssh_vulnerabilities_mitm_dos/", "https://www.vicarius.io/vsociety/posts/cve-2025-26465-detect-vulnerable-openssh", "https://www.vicarius.io/vsociety/posts/cve-2025-26465-mitigate-vulnerable-openssh", "https://seclists.org/oss-sec/2025/q1/144"]
+
+[[affected]]
+pkg = "OpenSSH_jll"
+ranges = [">= 9.3.2+0, < 9.9.1+0"]
+
+[[jlsec_sources]]
+id = "CVE-2025-26465"
+imported = 2025-10-24T03:21:50.727Z
+modified = 2025-10-23T03:15:30.320Z
+published = 2025-02-18T19:15:29.230Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-26465"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-26465"
+```
+
+# A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled
+
+A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.
+

advisories/published/2025/JLSEC-0000-mnscfj3z8-eulqd0.md

@@ -0,0 +1,46 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mnscfj3z8-eulqd0"
+modified = 2025-10-24T03:22:03.620Z
+upstream = ["CVE-2025-4575"]
+references = ["https://github.com/openssl/openssl/commit/e96d22446e633d117e6c9904cb15b4693e956eaa", "https://openssl-library.org/news/secadv/20250522.txt", "http://www.openwall.com/lists/oss-security/2025/05/22/1"]
+
+[[affected]]
+pkg = "OpenSSL_jll"
+ranges = [">= 3.5.0+0, < 3.5.1+0"]
+
+[[jlsec_sources]]
+id = "CVE-2025-4575"
+imported = 2025-10-24T03:22:03.620Z
+modified = 2025-10-23T14:51:30.377Z
+published = 2025-05-22T14:16:07.630Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-4575"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-4575"
+```
+
+# Issue summary: Use of -addreject option with the openssl x509 application adds a trusted use instead...
+
+Issue summary: Use of -addreject option with the openssl x509 application adds
+a trusted use instead of a rejected use for a certificate.
+
+Impact summary: If a user intends to make a trusted certificate rejected for
+a particular use it will be instead marked as trusted for that use.
+
+A copy & paste error during minor refactoring of the code introduced this
+issue in the OpenSSL 3.5 version. If, for example, a trusted CA certificate
+should be trusted only for the purpose of authenticating TLS servers but not
+for CMS signature verification and the CMS signature verification is intended
+to be marked as rejected with the -addreject option, the resulting CA
+certificate will be trusted for CMS signature verification purpose instead.
+
+Only users which use the trusted certificate format who use the openssl x509
+command line application to add rejected uses are affected by this issue.
+The issues affecting only the command line application are considered to
+be Low severity.
+
+The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this
+issue.
+
+OpenSSL 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 are also not affected by this
+issue.
+

advisories/published/2025/JLSEC-0000-mnscfjd6u-o4dt7x.md

@@ -0,0 +1,26 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mnscfjd6u-o4dt7x"
+modified = 2025-10-24T03:22:15.558Z
+upstream = ["CVE-2025-32988"]
+references = ["https://access.redhat.com/errata/RHSA-2025:16115", "https://access.redhat.com/errata/RHSA-2025:16116", "https://access.redhat.com/errata/RHSA-2025:17348", "https://access.redhat.com/errata/RHSA-2025:17361", "https://access.redhat.com/errata/RHSA-2025:17415", "https://access.redhat.com/errata/RHSA-2025:19088", "https://access.redhat.com/security/cve/CVE-2025-32988", "https://bugzilla.redhat.com/show_bug.cgi?id=2359622"]
+
+[[affected]]
+pkg = "GnuTLS_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2025-32988"
+imported = 2025-10-24T03:22:15.558Z
+modified = 2025-10-23T20:15:38.550Z
+published = 2025-07-10T08:15:24.223Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-32988"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-32988"
+```
+
+# A flaw was found in GnuTLS
+
+A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure.
+
+This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.
+

advisories/published/2025/JLSEC-0000-mnscfjv9c-1tlojuo.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mnscfjv9c-1tlojuo"
+modified = 2025-10-24T03:22:38.976Z
+upstream = ["CVE-2025-59438"]
+references = ["https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-10-invalid-padding-error/", "https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/"]
+
+[[affected]]
+pkg = "MbedTLS_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2025-59438"
+imported = 2025-10-24T03:22:38.953Z
+modified = 2025-10-23T12:35:35.187Z
+published = 2025-10-21T15:15:39.103Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-59438"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-59438"
+```
+
+# Mbed TLS through 3.6.4 has an Observable Timing Discrepancy.
+
+Mbed TLS through 3.6.4 has an Observable Timing Discrepancy.
+

advisories/published/2025/JLSEC-2025-96.md

@@ -4,16 +4,16 @@ id = "JLSEC-2025-96"
 modified = 2025-10-21T14:31:12.874Z
 published = 2025-10-19T18:40:48.457Z
 upstream = ["CVE-2025-5318"]
-references = ["https://access.redhat.com/errata/RHSA-2025:18231", "https://access.redhat.com/errata/RHSA-2025:18275", "https://access.redhat.com/errata/RHSA-2025:18286", "https://access.redhat.com/security/cve/CVE-2025-5318", "https://bugzilla.redhat.com/show_bug.cgi?id=2369131", "https://www.libssh.org/security/advisories/CVE-2025-5318.txt"]
+references = ["https://access.redhat.com/errata/RHSA-2025:18231", "https://access.redhat.com/errata/RHSA-2025:18275", "https://access.redhat.com/errata/RHSA-2025:18286", "https://access.redhat.com/errata/RHSA-2025:19012", "https://access.redhat.com/security/cve/CVE-2025-5318", "https://bugzilla.redhat.com/show_bug.cgi?id=2369131", "https://www.libssh.org/security/advisories/CVE-2025-5318.txt"]
 
 [[affected]]
 pkg = "libssh_jll"
-ranges = ["< 0.11.3+0"]
+ranges = ["*"]
 
 [[jlsec_sources]]
 id = "CVE-2025-5318"
-imported = 2025-10-21T03:24:54.925Z
-modified = 2025-10-20T08:15:33.070Z
+imported = 2025-10-24T03:22:11.086Z
+modified = 2025-10-23T20:15:40.607Z
 published = 2025-06-24T14:15:30.523Z
 url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-5318"
 html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-5318"