add one more fixed CVE, update list of incomplete ones from query 'project = RHIDP AND fixVersion = 1.2.5 and resolution is null and labels = SecurityTracking'; also add affected package and version metadata

Signed-off-by: Nick Boldt <[email protected]>

Author: nickboldt

modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt

@@ -1,13 +1,14 @@
+# CVE number, affected package, fixed in version(s), JIRA
+
 # not yet live; uncomment to generate CVE RN text
-# CVE-2024-43799
-# CVE-2024-37890
-# CVE-2024-45590
-# CVE-2024-45296
-# CVE-2024-47764
-# CVE-2024-43800
-# CVE-2024-48949 
+# CVE-2024-43799,send,0.19.0,RHIDP-3946
+# CVE-2024-43800,serve-static,1.16.0,RHIDP-3932
+# CVE-2024-45590,body-parser,1.20.3,RHIDP-3916
+# CVE-2024-45296,path-to-regexp,0.1.10||8.0.0,RHIDP-3897
+# CVE-2004-37890,ws,8.17.1||7.5.10||6.2.3||5.2.4,RHIDP-2733
 
 # these are live, pending the release of 1.2.5
-CVE-2024-21529
-CVE-2024-24791
-CVE-2024-39249
+CVE-2024-48949,elliptic,6.5.6,RHIDP-4417
+CVE-2024-21529,dset,3.1.4,RHIDP-3925
+CVE-2024-24791,net/http,go-toolset:1.21.13-2,RHIDP-3173
+CVE-2024-39249,async,2.6.4||3.2.5,RHIDP-3146

modules/release-notes/single-source-fixed-security-issues.sh

@@ -31,7 +31,7 @@ single_source_from_security_data () {
   echo -e "= ${title}" > "$destination"
   while IFS="" read -r cve || [ -n "$cve" ]; do
     if [[ ${cve} != "#"* ]] && [[ $cve != "" ]]; then # skip commented and blank lines
-      list_cleaned="${list_cleaned}\n${cve}"
+      list_cleaned="${list_cleaned}\n${cve%%,*}" # trim csv content after the CVE number
     fi
   done < "$list"
   list_cleaned=$(echo -e "$list_cleaned" | sort -uV)

modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc

@@ -8,3 +8,6 @@ A flaw was found in Go. The net/http module mishandles specific server responses
 
 link:https://access.redhat.com/security/cve/CVE-2024-39249[CVE-2024-39249]::
 A flaw was found in the async Node.js package. A Regular expression Denial of Service (ReDoS) attack can potentially be triggered via the autoinject function while parsing specially crafted input.
+
+link:https://access.redhat.com/security/cve/CVE-2024-48949[CVE-2024-48949]::
+A flaw was found in the Elliptic package. This vulnerability allows attackers to bypass EDDSA signature validation via improper handling of signature values where the S() component of the signature is not properly checked for being non-negative or smaller than the curve order.