Versions Compared

Old Version 71

changes.mady.by.user Karl Henselin

Saved on

compared with

New Version 72

changes.mady.by.user Karl Henselin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Tip

Did you know you can subscribe to updates to security issues and release notes? Right click and copy this link and paste it into Outlook RSS Feeds or your feed reader of choice.

April 15, 2024

FLEXDEPLOY-12039 - The versions of Bouncy Castle that ship with FlexDeploy and its plugins are vulnerable to

  • CVE-2024-29857 - Importing an EC certificate with specially crafted F2m parameters can cause high CPU usage during parameter evaluation.

  • CVE-2024-30171 - Possible timing based leakage in RSA based handshakes due to exception processing eliminated.

  • CVE-2024-30172 - Crafted signature and public key can be used to trigger an infinite loop in the Ed25519 verification code.

  • CVE-2024-301XX - When endpoint identification is enabled and an SSL socket is not created with an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address. This has been fixed.

These issues likely do not affect customers in any way based on the way Bouncy Castle is used in FlexDeploy, but a future release will contain updated versions.

March 15, 2024

FLEXDEPLOY-11432 - A path traversal vulnerability was discovered in FlexDeploy that affected versions 6.0.0.0-6.0.0.9, 6.5.0.0-6.5.0.15,7.0.0.0-7.0.0.3. This vulnerability is patched in versions 6.0.0.10, 6.5.0.16, 7.0.0.4, and 8.0.0.0. Upgrading to one of those versions is recommended.

...