From f0ec05d0857bddcbb02dbd968c3e9381061518d0 Mon Sep 17 00:00:00 2001 From: Steve Karg Date: Tue, 10 Jun 2025 08:32:50 -0500 Subject: [PATCH] Updated SECURITY with known CVE. --- SECURITY.md | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 7f7044b1..e03e372d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -17,11 +17,40 @@ currently being supported with security updates. | 0.7.x | :x: | | < 0.6.x | :x: | + +## Coordinated Vulnerability Disclosure + +From time to time a vulnerability is disclosed to [CVE](https://www.cve.org/) +and a record is created to identify, define, and catalog publicly disclosed +cybersecurity vulnerabilities. + +Here are the known CVE records: + +[CVE-2023-38339](https://www.cve.org/CVERecord?id=CVE-2023-38339) - +Out of bounds jump in h_apdu.c:apdu_handler +[#79](https://sourceforge.net/p/bacnet/bugs/79/) + +[CVE-2023-38340](https://www.cve.org/CVERecord?id=CVE-2023-38340) - +Out of bounds accesses in bacnet_npdu_decode +[#80](https://sourceforge.net/auth/?return_to=/p/bacnet/bugs/80/) + +[CVE-2023-38341](https://www.cve.org/CVERecord?id=CVE-2023-38341) - +Multiple out-of-bounds accesses in bacerror code paths +[#81](https://sourceforge.net/p/bacnet/bugs/81/) + +[CVE-2019-12480](https://www.cve.org/CVERecord?id=CVE-2019-12480) - +Invalid read in bacserv when decoding alarm tags +[#62](https://sourceforge.net/p/bacnet/bugs/62/) + +[CVE-2018-10238](https://www.cve.org/CVERecord?id=CVE-2018-10238) - +Segmentation fault leading to denial of service +[#61](https://sourceforge.net/p/bacnet/bugs/61/) + ## Reporting a Vulnerability Please use the "bugs" feature of Sourceforge.net to report a vulnerability, where it will be tracked until it is resolved. https://sourceforge.net/p/bacnet/bugs/ -Vulnerabilities can also be reported using "issues" at Ghithub. +Vulnerabilities can also be reported using "issues" at Github. https://github.com/bacnet-stack/bacnet-stack/issues