Skip to content

fix: paragonie/sodium_compat - Missing check that a point is on the prime subgroup for Edwards25519#18391

Merged
snipe merged 1 commit intogrokability:developfrom
ubc-cpsc:fix/PKSA-8x19-j2j3-bn67-sodium_compat
Jan 5, 2026
Merged

fix: paragonie/sodium_compat - Missing check that a point is on the prime subgroup for Edwards25519#18391
snipe merged 1 commit intogrokability:developfrom
ubc-cpsc:fix/PKSA-8x19-j2j3-bn67-sodium_compat

Conversation

@joelpittet
Copy link
Copy Markdown
Contributor

@joelpittet joelpittet commented Jan 2, 2026
edited
Loading

I saw some other PRs tackling the onelogin/php-saml #18380

This one only targets

+-------------------+----------------------------------------------------------------------------------+
| Package           | paragonie/sodium_compat                                                          |
| Severity          |                                                                                  |
| Advisory ID       | PKSA-8x19-j2j3-bn67                                                              |
| CVE               | NO CVE                                                                           |
| Title             | Missing check that a point is on the prime subgroup for Edwards25519             |
| URL               | https://00f.net/2025/12/30/libsodium-vulnerability                               |
| Affected versions | >=2,<2.5.0|<1.24.0                                                               |
| Reported at       | 2025-12-30T00:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

~/Contrib/snipe-it develop 6s                                                                                                                                       13:49:08
❯ composer audit
Found 4 security vulnerability advisories affecting 4 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package           | aws/aws-sdk-php                                                                  |
| Severity          | medium                                                                           |
| Advisory ID       | PKSA-dxyf-6n16-t87m                                                              |
| CVE               | CVE-2025-14761                                                                   |
| Title             | Key Commitment Issues in S3 Encryption Clients                                   |
| URL               | https://aws.amazon.com/security/security-bulletins/AWS-2025-032/                 |
| Affected versions | >=3.0.0,<3.368.0                                                                 |
| Reported at       | 2025-12-17T20:15:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | onelogin/php-saml                                                                |
| Severity          | critical                                                                         |
| Advisory ID       | PKSA-67d7-mg8j-87zx                                                              |
| CVE               | NO CVE                                                                           |
| Title             |  SAML PHP Toolkit Vulnerability on xmlseclibs CVE-2025-66475                     |
| URL               | https://github.com/advisories/GHSA-5j8p-438x-rgg5                                |
| Affected versions | >=4.0.0,<4.3.1|>=3.0.0,<3.8.1|<2.21.1                                            |
| Reported at       | 2025-12-09T17:24:09+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | paragonie/sodium_compat                                                          |
| Severity          |                                                                                  |
| Advisory ID       | PKSA-8x19-j2j3-bn67                                                              |
| CVE               | NO CVE                                                                           |
| Title             | Missing check that a point is on the prime subgroup for Edwards25519             |
| URL               | https://00f.net/2025/12/30/libsodium-vulnerability                               |
| Affected versions | >=2,<2.5.0|<1.24.0                                                               |
| Reported at       | 2025-12-30T00:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | robrichards/xmlseclibs                                                           |
| Severity          | medium                                                                           |
| Advisory ID       | PKSA-pcdf-qvqm-w4tv                                                              |
| CVE               | CVE-2025-66578                                                                   |
| Title             | robrichards/xmlseclibs has an Libxml2 Canonicalization error which can bypass    |
|                   | Digest/Signature validation                                                      |
| URL               | https://github.com/advisories/GHSA-c4cc-x928-vjw9                                |
| Affected versions | <=3.1.3                                                                          |
| Reported at       | 2025-12-08T17:57:33+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

@joelpittet joelpittet requested a review from snipe as a code owner January 2, 2026 21:57
@snipe snipe merged commit 37773d3 into grokability:develop Jan 5, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@snipe snipe Awaiting requested review from snipe snipe is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joelpittet @snipe