CLSA-2025-1751550314 openssl: Fix of CVE-2024-12797

RFC7250 handshakes with unauthenticated servers don't abort as expected CVE-2024-12797 Resolves: RHEL-76755...

DNS Rebinding

@modelcontextprotocol/sdk is vulnerable to DNS Rebinding. The vulnerability is due to DNS rebinding protection being disabled by default in unauthenticated HTTP-based servers, which allows an attacker to exploit a malicious website to bypass same-origin policy and send requests to the local MCP...

libsoup: Stack-Based Buffer Overflow in libsoup Multipart Response Parsingmultipart HTTP response

A flaw was found in libsoup. This stack-based buffer overflow vulnerability occurs during the parsing of multipart HTTP responses due to an incorrect length calculation. A remote attacker can exploit this by sending a specially crafted multipart HTTP response, which can lead to memory corruption...

Insecure Default Initialization of Resource

Overview mcp is a Model Context Protocol SDK Affected versions of this package are vulnerable to Insecure Default Initialization of Resource for the DNS rebinding protection that is not enabled by default for HTTP-based servers running on localhost without authentication using FastMCP. An attacke...

GHSA-9H52-P55H-VW2F Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default

Description The Model Context Protocol MCP Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication using FastMCP with streamable HTTP or SSE transport, and has not configured...

RFC7250 handshakes with unauthenticated servers don't abort as expected

...

FreeBSD : OpenSSL -- Man-in-the-Middle vulnerability (a64761a1-e895-11ef-873e-8447094a420f)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the a64761a1-e895-11ef-873e-8447094a420f advisory. The OpenSSL project reports: RFC7250 handshakes with unauthenticated servers don't abort as expected...

Important: Red Hat Security Advisory: openssl security update

An update for openssl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from t...

CVE-2024-12797 RFC7250 handshakes with unauthenticated servers don't abort as expected

Issue summary: Clients using RFC7250 Raw Public Keys RPKs to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSLVERIFYPEER verification mode is set. Impact summary: TLS and DTLS connections using raw public keys m...

CVE-2024-12797

Issue summary: Clients using RFC7250 Raw Public Keys RPKs to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSLVERIFYPEER verification mode is set. Impact summary: TLS and DTLS connections using raw public keys m...

Important: openssl security update

OpenSSL is a toolkit that implements the Secure Sockets Layer SSL and Transport Layer Security TLS protocols, as well as a full-strength general-purpose cryptography library. Security Fixes: openssl: RFC7250 handshakes with unauthenticated servers don't abort as expected CVE-2024-12797 For more...

OpenSSL -- Man-in-the-Middle vulnerability

The OpenSSL project reports: RFC7250 handshakes with unauthenticated servers don't abort as expected High. Clients using RFC7250 Raw Public Keys RPKs to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSLVERIFYPEE...

ALSA-2025:1330 Important: openssl security update

OpenSSL is a toolkit that implements the Secure Sockets Layer SSL and Transport Layer Security TLS protocols, as well as a full-strength general-purpose cryptography library. Security Fixes: openssl: RFC7250 handshakes with unauthenticated servers don't abort as expected CVE-2024-12797 For more...

ntp: DoS on client ntpd using server mode packet

A flaw was found in the Network Time Protocol NTP, where a security issue exists that allows an off-path attacker to prevent the Network Time Protocol daemon ntpd from synchronizing with NTP servers not using authentication. A server mode packet with a spoofed source address sent to the client nt...