Am Tue, May 13, 2025 at 11:45:58PM +0200 schrieb Moritz Mühlenhoff:
> Source: golang-github-openpubkey-openpubkey
> X-Debbugs-CC: t...@security.debian.org
> Severity: important
> Tags: security
>
> Hi,
>
> The following vulnerability was published for
> golang-github-openpubkey-openpubkey.
>
> The details are rather scarce, basically just the CVE description, might
> be worth reaching out to upstream for further information
>
> CVE-2025-4658[0]:
> | Versions of OpenPubkey library prior to 0.10.0 contained a
> | vulnerability that would allow a specially crafted JWS to bypass
> | signature verification. As OPKSSH depends on the OpenPubkey library
> | for authentication, this vulnerability in OpenPubkey also applies to
> | OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass
> | OPKSSH authentication.
There's also CVE-2025-3757, which seems to be the same?
Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability
that would allow a specially crafted JWS to bypass signature verification.
Cheers,
Moritz
