diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index d9e3b1da6c92..e904a88b6f9e 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,41 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + libidn2 -- roundtrip check vulnerability + + + libidn2 + 2.3.0 + + + + +

CVE list:

+
+

.

+

GNU libidn2 before 2.2.0 fails to perform the roundtrip checks + specified in RFC3490 Section 4.2 when converting A-labels to U-labels. + This makes it possible in some circumstances for one domain to + impersonate another. By creating a malicious domain that matches a + target domain except for the inclusion of certain punycoded Unicode + characters (that would be discarded when converted first to a Unicode + label and then back to an ASCII label), arbitrary domains can be + impersonated.

+
+ +
+ + https://gitlab.com/libidn/libidn2/blob/master/NEWS + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12290 + CVE-2019-12290 + + + 2019-11-14 + 2019-11-18 + +
+ GNU cpio -- multiple vulnerabilities