[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] NATS: 2023-01: Adding accounts for just the system account adds auth bypass
From:       Phil Pennock <oss-security-phil () spodhuis ! org>
Date:       2023-10-30 17:40:46
Message-ID: ZT/qnsR7RiQSv99z () hill ! local
[Download RAW message or body]

On 2023-10-29 at 15:51 -0400, Phil Pennock wrote:
> On 2023-10-28 at 17:51 +0200, Salvatore Bonaccorso wrote:
> > On Thu, Oct 12, 2023 at 10:39:53PM -0400, Phil Pennock wrote:
> > > [ CVE has been requested, still waiting for assignment, so we're just
> > >   inventing our own in-house numbering for advisories; we'll make sure
> > >   this one continues to work after the CVE is issued ]
> > > 
> > > NATS-advisory-ID: 2023-01
> > > CVE: pending
> > > Date: 2023-10-12
> > > Fixed in: 2.9.23, 2.10.2
> > 
> > While I see the later NATS-advisory-ID 2023-02 has a CVE assigned, for
> > the 2023-01 was above with CVE pending. has one been assigned in
> > meanwhile?
> 
> No.

Now: yes.  CVE-2023-47090 has been assigned today.

My thanks to whomever gave the nudge.

(Website will be updated as soon as GitHub has an action runner
available to process the pages build).

-Phil
[prev in list] [next in list] [prev in thread] [next in thread]