git.stella-ops.org/datasets/golden-pairs/security-pairs-index.yaml

# Golden Security Pairs Index
# 16 curated pairs per VALH-009 requirements
# Format: OpenSSL (8), zlib (4), libxml2 (4)

pairs:
  # OpenSSL: 2 CVE micro-bumps × 4 distros = 8 pairs
  - id: openssl-001
    cve: CVE-2024-0727
    library: openssl
    version_before: "3.0.12"
    version_after: "3.0.13"
    distribution: ubuntu:jammy
    architecture: amd64
    affected_functions:
      - PKCS12_parse
      - PKCS12_verify_mac
    patch_type: security_fix

  - id: openssl-002
    cve: CVE-2024-0727
    library: openssl
    version_before: "3.0.12"
    version_after: "3.0.13"
    distribution: debian:bookworm
    architecture: amd64
    affected_functions:
      - PKCS12_parse
      - PKCS12_verify_mac
    patch_type: security_fix

  - id: openssl-003
    cve: CVE-2024-0727
    library: openssl
    version_before: "3.0.12"
    version_after: "3.0.13"
    distribution: fedora:39
    architecture: amd64
    affected_functions:
      - PKCS12_parse
      - PKCS12_verify_mac
    patch_type: security_fix

  - id: openssl-004
    cve: CVE-2024-0727
    library: openssl
    version_before: "3.0.12"
    version_after: "3.0.13"
    distribution: alpine:3.19
    architecture: amd64
    affected_functions:
      - PKCS12_parse
      - PKCS12_verify_mac
    patch_type: security_fix

  - id: openssl-005
    cve: CVE-2023-5678
    library: openssl
    version_before: "3.0.11"
    version_after: "3.0.12"
    distribution: ubuntu:jammy
    architecture: amd64
    affected_functions:
      - DH_generate_key
      - DH_check_ex
    patch_type: security_fix

  - id: openssl-006
    cve: CVE-2023-5678
    library: openssl
    version_before: "3.0.11"
    version_after: "3.0.12"
    distribution: debian:bookworm
    architecture: amd64
    affected_functions:
      - DH_generate_key
      - DH_check_ex
    patch_type: security_fix

  - id: openssl-007
    cve: CVE-2023-5678
    library: openssl
    version_before: "3.0.11"
    version_after: "3.0.12"
    distribution: fedora:39
    architecture: amd64
    affected_functions:
      - DH_generate_key
      - DH_check_ex
    patch_type: security_fix

  - id: openssl-008
    cve: CVE-2023-5678
    library: openssl
    version_before: "3.0.11"
    version_after: "3.0.12"
    distribution: alpine:3.19
    architecture: amd64
    affected_functions:
      - DH_generate_key
      - DH_check_ex
    patch_type: security_fix

  # zlib: 1 minor security patch × 4 distros = 4 pairs
  - id: zlib-001
    cve: CVE-2023-45853
    library: zlib
    version_before: "1.2.13"
    version_after: "1.3"
    distribution: ubuntu:jammy
    architecture: amd64
    affected_functions:
      - deflate
      - deflateEnd
      - inflateSync
    patch_type: security_fix

  - id: zlib-002
    cve: CVE-2023-45853
    library: zlib
    version_before: "1.2.13"
    version_after: "1.3"
    distribution: debian:bookworm
    architecture: amd64
    affected_functions:
      - deflate
      - deflateEnd
      - inflateSync
    patch_type: security_fix

  - id: zlib-003
    cve: CVE-2023-45853
    library: zlib
    version_before: "1.2.13"
    version_after: "1.3"
    distribution: fedora:39
    architecture: amd64
    affected_functions:
      - deflate
      - deflateEnd
      - inflateSync
    patch_type: security_fix

  - id: zlib-004
    cve: CVE-2023-45853
    library: zlib
    version_before: "1.2.13"
    version_after: "1.3"
    distribution: alpine:3.19
    architecture: amd64
    affected_functions:
      - deflate
      - deflateEnd
      - inflateSync
    patch_type: security_fix

  # libxml2: 1 parser bugfix × 4 distros = 4 pairs
  - id: libxml2-001
    cve: CVE-2024-25062
    library: libxml2
    version_before: "2.12.3"
    version_after: "2.12.4"
    distribution: ubuntu:jammy
    architecture: amd64
    affected_functions:
      - xmlParseChunk
      - xmlParseDocument
      - xmlCtxtReadMemory
    patch_type: parser_fix

  - id: libxml2-002
    cve: CVE-2024-25062
    library: libxml2
    version_before: "2.12.3"
    version_after: "2.12.4"
    distribution: debian:bookworm
    architecture: amd64
    affected_functions:
      - xmlParseChunk
      - xmlParseDocument
      - xmlCtxtReadMemory
    patch_type: parser_fix

  - id: libxml2-003
    cve: CVE-2024-25062
    library: libxml2
    version_before: "2.12.3"
    version_after: "2.12.4"
    distribution: fedora:39
    architecture: amd64
    affected_functions:
      - xmlParseChunk
      - xmlParseDocument
      - xmlCtxtReadMemory
    patch_type: parser_fix

  - id: libxml2-004
    cve: CVE-2024-25062
    library: libxml2
    version_before: "2.12.3"
    version_after: "2.12.4"
    distribution: alpine:3.19
    architecture: amd64
    affected_functions:
      - xmlParseChunk
      - xmlParseDocument
      - xmlCtxtReadMemory
    patch_type: parser_fix

metadata:
  version: "1.0"
  created: "2026-01-19"
  description: "Starter corpus with 16 security pairs for validation harness (VALH-009)"
  coverage:
    openssl: 8
    zlib: 4
    libxml2: 4
    total: 16