git: 894d2b9662fa - main - security/vuxml: Document vulnerability for net-im/dendrite

From: Ashish SHUKLA <ashish_at_FreeBSD.org>
Date: Mon, 12 Sep 2022 12:58:36 UTC 
The branch main has been updated by ashish:

URL: https://cgit.FreeBSD.org/ports/commit/?id=894d2b9662fa0ab0003e21fd8aee433bdf08e3ec

commit 894d2b9662fa0ab0003e21fd8aee433bdf08e3ec
Author:     Ashish SHUKLA <ashish@FreeBSD.org>
AuthorDate: 2022-09-12 12:53:25 +0000
Commit:     Ashish SHUKLA <ashish@FreeBSD.org>
CommitDate: 2022-09-12 12:56:53 +0000

    security/vuxml: Document vulnerability for net-im/dendrite
---
 security/vuxml/vuln-2022.xml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index d355a810401b..b0bb4fbf124a 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -1,3 +1,34 @@
+  <vuln vid="4ebaa983-3299-11ed-95f8-901b0e9408dc">
+    <topic>dendrite -- Signature checks not applied to some retrieved missing events</topic>
+    <affects>
+      <package>
+	<name>dendrite</name>
+	<range><lt>0.9.8</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Dendrite team reports:</p>
+	<blockquote cite="https://github.com/matrix-org/dendrite/security/advisories/GHSA-pfw4-xjgm-267c">
+	  <p>Events retrieved from a remote homeserver using /get_missing_events did
+	  not have their signatures verified correctly. This could potentially allow
+	  a remote homeserver to provide invalid/modified events to Dendrite via this
+	  endpoint.</p>
+	  <p>Note that this does not apply to events retrieved through other endpoints
+	  (e.g. /event, /state) as they have been correctly verified.</p>
+	  <p>Homeservers that have federation disabled are not vulnerable.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://github.com/matrix-org/dendrite/security/advisories/GHSA-pfw4-xjgm-267c</url>
+    </references>
+    <dates>
+      <discovery>2022-09-12</discovery>
+      <entry>2022-09-12</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="f75722ce-31b0-11ed-8b56-0800277bb8a8">
     <topic>gitea -- multiple issues</topic>
     <affects>