Source: fastdds Version: 3.1.2+ds-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi Timo, The following vulnerability was published for fastdds. But I'm not really sure on the state of it, if upstream intends or has acted on it, there is one reference associated with various DDS implementations which each got a own CVE, CVE-2023-24010 for fastdds. CVE-2023-24010[0]: | An attacker can arbitrarily craft malicious DDS Participants (or ROS | 2 Nodes) with valid certificates to compromise and get full control | of the attacked secure DDS databus system by exploiting vulnerable | attributes in the configuration of PKCS#7 certificate’s validation. | This is caused by a non-compliant implementation of permission | document verification used by some DDS vendors. Specifically, an | improper use of the OpenSSL PKCS7_verify function used to validate | S/MIME signatures. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-24010 https://www.cve.org/CVERecord?id=CVE-2023-24010 [1] https://github.com/ros2/sros2/issues/282 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
