| Name | CVE-2025-15467 |
| Description | Issue summary: Parsing CMS AuthEnvelopedData message with maliciously ... |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-6113-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| openssl (PTS) | bullseye | 1.1.1w-0+deb11u1 | fixed |
| bullseye (security) | 1.1.1w-0+deb11u4 | fixed |
| bookworm | 3.0.18-1~deb12u1 | vulnerable |
| bookworm (security) | 3.0.18-1~deb12u2 | fixed |
| trixie | 3.5.4-1~deb13u1 | vulnerable |
| trixie (security) | 3.5.4-1~deb13u2 | fixed |
| forky, sid | 3.5.4-1 | vulnerable |
The information below is based on the following data on fixed versions.
Notes
[bullseye] - openssl <not-affected> (Vulnerable code introduced later)
https://openssl-library.org/news/secadv/20260127.txt
Fixed by: https://github.com/openssl/openssl/commit/d0071a0799f20cc8101730145349ed4487c268dc (openssl-3.5.5)
Fixed by: https://github.com/openssl/openssl/commit/9f6338e92c96ffc70b0223bf5da0c134a8eef9fb (openssl-3.5.5)
Test: https://github.com/openssl/openssl/commit/a114855991da05631cce17a52a143f10d80b4193 (openssl-3.5.5)
Fixed by: https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e (openssl-3.0.19)
Fixed by: https://github.com/openssl/openssl/commit/cdccf8f2ef17ae020bd69360c43a39306b89c381 (openssl-3.0.19)
Test: https://github.com/openssl/openssl/commit/e0666f72294691a808443970b654412a6d92fa0f (openssl-3.0.19)