Control: clone -1 -2 Control: reassign -2 src:opkssh Control: retitle -2 opkssh: CVE-2025-4658 Control: retitle -1 golang-github-openpubkey-openpubkey: CVE-2025-3757
Hi Moritz, On Tue, May 13, 2025 at 11:51:57PM +0200, Moritz Mühlenhoff wrote: > Am Tue, May 13, 2025 at 11:45:58PM +0200 schrieb Moritz Mühlenhoff: > > Source: golang-github-openpubkey-openpubkey > > X-Debbugs-CC: t...@security.debian.org > > Severity: important > > Tags: security > > > > Hi, > > > > The following vulnerability was published for > > golang-github-openpubkey-openpubkey. > > > > The details are rather scarce, basically just the CVE description, might > > be worth reaching out to upstream for further information > > > > CVE-2025-4658[0]: > > | Versions of OpenPubkey library prior to 0.10.0 contained a > > | vulnerability that would allow a specially crafted JWS to bypass > > | signature verification. As OPKSSH depends on the OpenPubkey library > > | for authentication, this vulnerability in OpenPubkey also applies to > > | OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass > > | OPKSSH authentication. > > There's also CVE-2025-3757, which seems to be the same? > > Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability > that would allow a specially crafted JWS to bypass signature verification. I think they are different, the following argument on my side: CVE-2025-4658 is for opkssh and references https://github.com/openpubkey/opkssh/security/advisories/GHSA-56wx-66px-9j66 while CVE-2025-3757 would be this one for golang-github-openpubkey-openpubkey and references https://github.com/openpubkey/openpubkey/security/advisories/GHSA-537f-gxgm-3jjq. Regards, Salvatore
