diff --git a/reports/ghaf-23.06/data.csv b/reports/ghaf-23.06/data.csv index 0f50f51..56ad9a4 100644 --- a/reports/ghaf-23.06/data.csv +++ b/reports/ghaf-23.06/data.csv @@ -1,4 +1,5 @@ "target","flakeref","pintype","vuln_id","url","package","severity","version_local","version_nixpkgs","version_upstream","package_repology","sortcol","whitelist","whitelist_comment","classify","nixpkgs_pr" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","GHSA-qqvq-6xgj-jw8g","https://osv.dev/GHSA-qqvq-6xgj-jw8g","electron","","25.1.1","26.2.4","26.3.0","electron","2023A1696464000","False","","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","GHSA-j7hp-h8jx-5ppr","https://osv.dev/GHSA-j7hp-h8jx-5ppr","electron","","25.1.1","26.2.4","26.3.0","electron","2023A1696291200","False","","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","GHSA-6898-wx94-8jq8","https://osv.dev/GHSA-6898-wx94-8jq8","libnotify","","0.8.2","","","","2023A1694131200","True","Incorrect package: Issue refers node-libnotify https://github.com/mytrile/node-libnotify, whereas nixpkgs refers gnome-libnotify https://gitlab.gnome.org/GNOME/libnotify.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","GHSA-7x97-j373-85x5","https://osv.dev/GHSA-7x97-j373-85x5","electron","","25.1.1","26.2.4","26.3.0","electron","2023A1693958400","False","Nixpkgs fix PR: https://github.com/NixOS/nixpkgs/pull/251189.","err_not_vulnerable_based_on_repology","" @@ -15,12 +16,12 @@ https://github.com/NixOS/nixpkgs/pull/254541 https://github.com/NixOS/nixpkgs/pull/258619" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-39956","https://nvd.nist.gov/vuln/detail/CVE-2023-39956","electron","6.6","25.1.1","26.2.4","26.3.0","electron","2023A0000039956","False","","fix_update_to_version_nixpkgs","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-39742","https://nvd.nist.gov/vuln/detail/CVE-2023-39742","giflib","5.5","5.2.1","5.2.1","5.2.1","giflib","2023A0000039742","False","","fix_not_available","" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","7.5","1.20.4","1.21.1","1.21.1","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","7.5","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-39319","https://nvd.nist.gov/vuln/detail/CVE-2023-39319","go","6.1","1.20.4","1.21.1","1.21.1","go","2023A0000039319","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-39319","https://nvd.nist.gov/vuln/detail/CVE-2023-39319","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000039319","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-39318","https://nvd.nist.gov/vuln/detail/CVE-2023-39318","go","6.1","1.20.4","1.21.1","1.21.1","go","2023A0000039318","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-39318","https://nvd.nist.gov/vuln/detail/CVE-2023-39318","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000039318","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","7.5","1.20.4","1.21.1","1.21.2","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","7.5","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.2","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-39319","https://nvd.nist.gov/vuln/detail/CVE-2023-39319","go","6.1","1.20.4","1.21.1","1.21.2","go","2023A0000039319","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-39319","https://nvd.nist.gov/vuln/detail/CVE-2023-39319","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.2","go","2023A0000039319","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-39318","https://nvd.nist.gov/vuln/detail/CVE-2023-39318","go","6.1","1.20.4","1.21.1","1.21.2","go","2023A0000039318","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-39318","https://nvd.nist.gov/vuln/detail/CVE-2023-39318","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.2","go","2023A0000039318","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-38858","https://nvd.nist.gov/vuln/detail/CVE-2023-38858","faad2","6.5","2.10.1","2.10.1","2.10.1","faad2","2023A0000038858","False","","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-38857","https://nvd.nist.gov/vuln/detail/CVE-2023-38857","faad2","5.5","2.10.1","2.10.1","2.10.1","faad2","2023A0000038857","False","","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-38633","https://nvd.nist.gov/vuln/detail/CVE-2023-38633","librsvg","5.5","2.55.1","2.56.3","2.57.0","librsvg","2023A0000038633","False","Nixpkgs fix PR: https://github.com/NixOS/nixpkgs/pull/246763.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/246763 @@ -51,9 +52,9 @@ https://github.com/NixOS/nixpkgs/pull/256402" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-30571","https://nvd.nist.gov/vuln/detail/CVE-2023-30571","libarchive","5.3","3.6.2","3.6.2","3.7.2","libarchive","2023A0000030571","False","No upstream fix available, see: https://github.com/libarchive/libarchive/issues/1876.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/244713 https://github.com/NixOS/nixpkgs/pull/256930" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-30402","https://nvd.nist.gov/vuln/detail/CVE-2023-30402","yasm","5.5","1.3.0","","","","2023A0000030402","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-29409","https://nvd.nist.gov/vuln/detail/CVE-2023-29409","go","5.3","1.20.4","1.21.1","1.21.1","go","2023A0000029409","False","See: https://github.com/golang/go/issues/61580, fixed by update to go 1.20.7: nixpkgs PR https://github.com/NixOS/nixpkgs/pull/246663.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/247034 +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-29409","https://nvd.nist.gov/vuln/detail/CVE-2023-29409","go","5.3","1.20.4","1.21.1","1.21.2","go","2023A0000029409","False","See: https://github.com/golang/go/issues/61580, fixed by update to go 1.20.7: nixpkgs PR https://github.com/NixOS/nixpkgs/pull/246663.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/247034 https://github.com/NixOS/nixpkgs/pull/253738" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-29409","https://nvd.nist.gov/vuln/detail/CVE-2023-29409","go","5.3","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000029409","False","See: https://github.com/golang/go/issues/61580, fixed by update to go 1.20.7: nixpkgs PR https://github.com/NixOS/nixpkgs/pull/246663.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/247034 +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-29409","https://nvd.nist.gov/vuln/detail/CVE-2023-29409","go","5.3","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.2","go","2023A0000029409","False","See: https://github.com/golang/go/issues/61580, fixed by update to go 1.20.7: nixpkgs PR https://github.com/NixOS/nixpkgs/pull/246663.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/247034 https://github.com/NixOS/nixpkgs/pull/253738" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-29406","https://nvd.nist.gov/vuln/detail/CVE-2023-29406","go","6.5","1.20.4","","","","2023A0000029406","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-29406","https://nvd.nist.gov/vuln/detail/CVE-2023-29406","go","6.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000029406","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" @@ -66,7 +67,7 @@ https://github.com/NixOS/nixpkgs/pull/253738" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-29402","https://nvd.nist.gov/vuln/detail/CVE-2023-29402","go","9.8","1.20.4","","","","2023A0000029402","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-29402","https://nvd.nist.gov/vuln/detail/CVE-2023-29402","go","9.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029402","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-29400","https://nvd.nist.gov/vuln/detail/CVE-2023-29400","go","7.3","1.17.13-linux-amd64-bootstrap","","","","2023A0000029400","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","3.3","4.13","4.14.0","4.14.0","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254143" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","3.3","4.13","4.14.0","4.14.1","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254143" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-28115","https://nvd.nist.gov/vuln/detail/CVE-2023-28115","snappy","9.8","1.1.10","","","","2023A0000028115","True","Incorrect package: Issue concerns snappy php library: https://github.com/KnpLabs/snappy, whereas, nixpkgs ""snappy"" refers snappy compression library: https://google.github.io/snappy/. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-26966","https://nvd.nist.gov/vuln/detail/CVE-2023-26966","libtiff","5.5","4.5.0","4.5.1","4.6.0","tiff","2023A0000026966","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239544 https://github.com/NixOS/nixpkgs/pull/239595" @@ -89,6 +90,7 @@ https://github.com/NixOS/nixpkgs/pull/239595" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-24536","https://nvd.nist.gov/vuln/detail/CVE-2023-24536","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000024536","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-24534","https://nvd.nist.gov/vuln/detail/CVE-2023-24534","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000024534","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-24532","https://nvd.nist.gov/vuln/detail/CVE-2023-24532","go","5.3","1.17.13-linux-amd64-bootstrap","","","","2023A0000024532","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-5344","https://nvd.nist.gov/vuln/detail/CVE-2023-5344","vim","7.5","9.0.1441","9.0.1897","9.0.1976","vim","2023A0000005344","False","","fix_update_to_version_upstream","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-5156","https://nvd.nist.gov/vuln/detail/CVE-2023-5156","glibc","7.5","2.37-8","2.37-8","2.38","glibc","2023A0000005156","False","","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-4863","https://nvd.nist.gov/vuln/detail/CVE-2023-4863","libwebp","8.8","1.3.0","1.3.2","1.3.2","libwebp","2023A0000004863","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/255169 https://github.com/NixOS/nixpkgs/pull/255786 @@ -322,9 +324,9 @@ https://github.com/NixOS/nixpkgs/pull/84664" https://github.com/NixOS/nixpkgs/pull/258350" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-41330","https://nvd.nist.gov/vuln/detail/CVE-2023-41330","snappy","9.8","1.1.10","","","","2023A0000041330","True","Incorrect package: Issue concerns snappy php library: https://github.com/KnpLabs/snappy, whereas, nixpkgs ""snappy"" refers snappy compression library: https://google.github.io/snappy/. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-39742","https://nvd.nist.gov/vuln/detail/CVE-2023-39742","giflib","5.5","5.2.1","5.2.1","5.2.1","giflib","2023A0000039742","False","","fix_not_available","" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","7.5","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-39319","https://nvd.nist.gov/vuln/detail/CVE-2023-39319","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000039319","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-39318","https://nvd.nist.gov/vuln/detail/CVE-2023-39318","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000039318","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","7.5","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.2","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-39319","https://nvd.nist.gov/vuln/detail/CVE-2023-39319","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.2","go","2023A0000039319","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-39318","https://nvd.nist.gov/vuln/detail/CVE-2023-39318","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.2","go","2023A0000039318","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-38858","https://nvd.nist.gov/vuln/detail/CVE-2023-38858","faad2","6.5","2.10.1","2.10.1","2.10.1","faad2","2023A0000038858","False","","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-38857","https://nvd.nist.gov/vuln/detail/CVE-2023-38857","faad2","5.5","2.10.1","2.10.1","2.10.1","faad2","2023A0000038857","False","","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-38039","https://nvd.nist.gov/vuln/detail/CVE-2023-38039","curl","7.5","8.1.1","8.3.0","8.3.0","curl","2023A0000038039","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254962 @@ -345,7 +347,7 @@ https://github.com/NixOS/nixpkgs/pull/256402" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-30571","https://nvd.nist.gov/vuln/detail/CVE-2023-30571","libarchive","5.3","3.6.2","3.6.2","3.7.2","libarchive","2023A0000030571","False","No upstream fix available, see: https://github.com/libarchive/libarchive/issues/1876.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/244713 https://github.com/NixOS/nixpkgs/pull/256930" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-30402","https://nvd.nist.gov/vuln/detail/CVE-2023-30402","yasm","5.5","1.3.0","","","","2023A0000030402","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-29409","https://nvd.nist.gov/vuln/detail/CVE-2023-29409","go","5.3","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000029409","False","See: https://github.com/golang/go/issues/61580, fixed by update to go 1.20.7: nixpkgs PR https://github.com/NixOS/nixpkgs/pull/246663.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/247034 +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-29409","https://nvd.nist.gov/vuln/detail/CVE-2023-29409","go","5.3","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.2","go","2023A0000029409","False","See: https://github.com/golang/go/issues/61580, fixed by update to go 1.20.7: nixpkgs PR https://github.com/NixOS/nixpkgs/pull/246663.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/247034 https://github.com/NixOS/nixpkgs/pull/253738" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-29406","https://nvd.nist.gov/vuln/detail/CVE-2023-29406","go","6.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000029406","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-29405","https://nvd.nist.gov/vuln/detail/CVE-2023-29405","go","9.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029405","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" @@ -353,7 +355,7 @@ https://github.com/NixOS/nixpkgs/pull/253738" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-29403","https://nvd.nist.gov/vuln/detail/CVE-2023-29403","go","7.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029403","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-29402","https://nvd.nist.gov/vuln/detail/CVE-2023-29402","go","9.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029402","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-29400","https://nvd.nist.gov/vuln/detail/CVE-2023-29400","go","7.3","1.17.13-linux-amd64-bootstrap","","","","2023A0000029400","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","3.3","4.13","4.14.0","4.14.0","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254143" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","3.3","4.13","4.14.0","4.14.1","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254143" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-28322","https://nvd.nist.gov/vuln/detail/CVE-2023-28322","curl","3.7","0.4.44","","","","2023A0000028322","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/232531 https://github.com/NixOS/nixpkgs/pull/232535" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-28321","https://nvd.nist.gov/vuln/detail/CVE-2023-28321","curl","5.9","0.4.44","","","","2023A0000028321","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/232531 @@ -373,6 +375,7 @@ https://github.com/NixOS/nixpkgs/pull/232535" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-24536","https://nvd.nist.gov/vuln/detail/CVE-2023-24536","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000024536","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-24534","https://nvd.nist.gov/vuln/detail/CVE-2023-24534","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000024534","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-24532","https://nvd.nist.gov/vuln/detail/CVE-2023-24532","go","5.3","1.17.13-linux-amd64-bootstrap","","","","2023A0000024532","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-5344","https://nvd.nist.gov/vuln/detail/CVE-2023-5344","vim","7.5","9.0.1441","9.0.1897","9.0.1976","vim","2023A0000005344","False","","fix_update_to_version_upstream","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-5156","https://nvd.nist.gov/vuln/detail/CVE-2023-5156","glibc","7.5","2.37-8","2.37-8","2.38","glibc","2023A0000005156","False","","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-4807","https://nvd.nist.gov/vuln/detail/CVE-2023-4807","openssl","7.8","3.0.10","3.0.10","3.1.3","openssl","2023A0000004807","False","","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/254106 https://github.com/NixOS/nixpkgs/pull/254185 diff --git a/reports/ghaf-23.06/packages.x86_64-linux.generic-x86_64-release.md b/reports/ghaf-23.06/packages.x86_64-linux.generic-x86_64-release.md index 2eacc98..ba0d564 100644 --- a/reports/ghaf-23.06/packages.x86_64-linux.generic-x86_64-release.md +++ b/reports/ghaf-23.06/packages.x86_64-linux.generic-x86_64-release.md @@ -35,8 +35,8 @@ Update the target Ghaf [flake.lock](https://github.com/tiiuae/ghaf/blob/main/fla | [CVE-2023-25434](https://nvd.nist.gov/vuln/detail/CVE-2023-25434) | libtiff | 8.8 | 4.5.0 | 4.5.1 | 4.6.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/239544), [PR](https://github.com/NixOS/nixpkgs/pull/239595)]* | | [CVE-2023-4863](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) | libwebp | 8.8 | 1.3.0 | 1.3.2 | 1.3.2 | *[[PR](https://github.com/NixOS/nixpkgs/pull/255169), [PR](https://github.com/NixOS/nixpkgs/pull/255786), [PR](https://github.com/NixOS/nixpkgs/pull/255959), [PR](https://github.com/NixOS/nixpkgs/pull/258217), [PR](https://github.com/NixOS/nixpkgs/pull/258430)]* | | [CVE-2023-3724](https://nvd.nist.gov/vuln/detail/CVE-2023-3724) | wolfssl | 8.8 | 5.5.4 | 5.6.3 | 5.6.3 | Issue is fixed in 5.6.2: [link](https://www.wolfssl.com/docs/security-vulnerabilities/). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/239027). *[[PR](https://github.com/NixOS/nixpkgs/pull/239027), [PR](https://github.com/NixOS/nixpkgs/pull/246451)]* | -| [CVE-2023-39533](https://nvd.nist.gov/vuln/detail/CVE-2023-39533) | go | 7.5 | 1.20.4 | 1.21.1 | 1.21.1 | It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 ([link](https://github.com/NixOS/nixpkgs/pull/246663)) is in Ghaf, this issue should no longer be included in the reports. *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | -| [CVE-2023-39533](https://nvd.nist.gov/vuln/detail/CVE-2023-39533) | go | 7.5 | 1.17.13-linux-am | 1.21.1 | 1.21.1 | It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 ([link](https://github.com/NixOS/nixpkgs/pull/246663)) is in Ghaf, this issue should no longer be included in the reports. *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | +| [CVE-2023-39533](https://nvd.nist.gov/vuln/detail/CVE-2023-39533) | go | 7.5 | 1.20.4 | 1.21.1 | 1.21.2 | It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 ([link](https://github.com/NixOS/nixpkgs/pull/246663)) is in Ghaf, this issue should no longer be included in the reports. *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | +| [CVE-2023-39533](https://nvd.nist.gov/vuln/detail/CVE-2023-39533) | go | 7.5 | 1.17.13-linux-am | 1.21.1 | 1.21.2 | It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 ([link](https://github.com/NixOS/nixpkgs/pull/246663)) is in Ghaf, this issue should no longer be included in the reports. *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | | [CVE-2023-35790](https://nvd.nist.gov/vuln/detail/CVE-2023-35790) | libjxl | 7.5 | 0.8.1 | 0.8.2 | 0.8.2 | *[[PR](https://github.com/NixOS/nixpkgs/pull/237913), [PR](https://github.com/NixOS/nixpkgs/pull/238274)]* | | [CVE-2023-4236](https://nvd.nist.gov/vuln/detail/CVE-2023-4236) | bind | 7.5 | 9.18.14 | 9.18.19 | 9.18.19 | *[[PR](https://github.com/NixOS/nixpkgs/pull/256396), [PR](https://github.com/NixOS/nixpkgs/pull/256469)]* | | [CVE-2023-3341](https://nvd.nist.gov/vuln/detail/CVE-2023-3341) | bind | 7.5 | 9.18.14 | 9.18.19 | 9.18.19 | *[[PR](https://github.com/NixOS/nixpkgs/pull/256396), [PR](https://github.com/NixOS/nixpkgs/pull/256469)]* | @@ -50,10 +50,10 @@ Update the target Ghaf [flake.lock](https://github.com/tiiuae/ghaf/blob/main/fla | [CVE-2023-3618](https://nvd.nist.gov/vuln/detail/CVE-2023-3618) | libtiff | 6.5 | 4.5.0 | 4.5.1 | 4.6.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/239544), [PR](https://github.com/NixOS/nixpkgs/pull/239595)]* | | [CVE-2023-3316](https://nvd.nist.gov/vuln/detail/CVE-2023-3316) | libtiff | 6.5 | 4.5.0 | 4.5.1 | 4.6.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/239544), [PR](https://github.com/NixOS/nixpkgs/pull/239595)]* | | [CVE-2023-3255](https://nvd.nist.gov/vuln/detail/CVE-2023-3255) | qemu | 6.5 | 8.0.0 | 8.1.1 | 8.1.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/248659), [PR](https://github.com/NixOS/nixpkgs/pull/256632)]* | -| [CVE-2023-39319](https://nvd.nist.gov/vuln/detail/CVE-2023-39319) | go | 6.1 | 1.20.4 | 1.21.1 | 1.21.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | -| [CVE-2023-39319](https://nvd.nist.gov/vuln/detail/CVE-2023-39319) | go | 6.1 | 1.17.13-linux-am | 1.21.1 | 1.21.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | -| [CVE-2023-39318](https://nvd.nist.gov/vuln/detail/CVE-2023-39318) | go | 6.1 | 1.20.4 | 1.21.1 | 1.21.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | -| [CVE-2023-39318](https://nvd.nist.gov/vuln/detail/CVE-2023-39318) | go | 6.1 | 1.17.13-linux-am | 1.21.1 | 1.21.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | +| [CVE-2023-39319](https://nvd.nist.gov/vuln/detail/CVE-2023-39319) | go | 6.1 | 1.20.4 | 1.21.1 | 1.21.2 | *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | +| [CVE-2023-39319](https://nvd.nist.gov/vuln/detail/CVE-2023-39319) | go | 6.1 | 1.17.13-linux-am | 1.21.1 | 1.21.2 | *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | +| [CVE-2023-39318](https://nvd.nist.gov/vuln/detail/CVE-2023-39318) | go | 6.1 | 1.20.4 | 1.21.1 | 1.21.2 | *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | +| [CVE-2023-39318](https://nvd.nist.gov/vuln/detail/CVE-2023-39318) | go | 6.1 | 1.17.13-linux-am | 1.21.1 | 1.21.2 | *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | | [CVE-2023-1916](https://nvd.nist.gov/vuln/detail/CVE-2023-1916) | libtiff | 6.1 | 4.5.0 | 4.5.1 | 4.6.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/239544), [PR](https://github.com/NixOS/nixpkgs/pull/239595)]* | | [CVE-2023-0330](https://nvd.nist.gov/vuln/detail/CVE-2023-0330) | qemu | 6.0 | 8.0.0 | 8.1.1 | 8.1.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/256632)]* | | [CVE-2023-3301](https://nvd.nist.gov/vuln/detail/CVE-2023-3301) | qemu | 5.6 | 8.0.0 | 8.1.1 | 8.1.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/244827), [PR](https://github.com/NixOS/nixpkgs/pull/256632)]* | @@ -66,10 +66,11 @@ Update the target Ghaf [flake.lock](https://github.com/tiiuae/ghaf/blob/main/fla | [CVE-2023-25433](https://nvd.nist.gov/vuln/detail/CVE-2023-25433) | libtiff | 5.5 | 4.5.0 | 4.5.1 | 4.6.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/239544), [PR](https://github.com/NixOS/nixpkgs/pull/239595)]* | | [CVE-2023-2908](https://nvd.nist.gov/vuln/detail/CVE-2023-2908) | libtiff | 5.5 | 4.5.0 | 4.5.1 | 4.6.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/239544), [PR](https://github.com/NixOS/nixpkgs/pull/239595)]* | | [CVE-2021-3933](https://nvd.nist.gov/vuln/detail/CVE-2021-3933) | openexr | 5.5 | 2.5.8 | 3.2.0 | 3.2.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/234754), [PR](https://github.com/NixOS/nixpkgs/pull/236043), [PR](https://github.com/NixOS/nixpkgs/pull/238270), [PR](https://github.com/NixOS/nixpkgs/pull/254764), [PR](https://github.com/NixOS/nixpkgs/pull/258729)]* | -| [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) | go | 5.3 | 1.20.4 | 1.21.1 | 1.21.1 | See: [link](https://github.com/golang/go/issues/61580), fixed by update to go 1.20.7: nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/246663). *[[PR](https://github.com/NixOS/nixpkgs/pull/247034), [PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | -| [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) | go | 5.3 | 1.17.13-linux-am | 1.21.1 | 1.21.1 | See: [link](https://github.com/golang/go/issues/61580), fixed by update to go 1.20.7: nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/246663). *[[PR](https://github.com/NixOS/nixpkgs/pull/247034), [PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | +| [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) | go | 5.3 | 1.20.4 | 1.21.1 | 1.21.2 | See: [link](https://github.com/golang/go/issues/61580), fixed by update to go 1.20.7: nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/246663). *[[PR](https://github.com/NixOS/nixpkgs/pull/247034), [PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | +| [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) | go | 5.3 | 1.17.13-linux-am | 1.21.1 | 1.21.2 | See: [link](https://github.com/golang/go/issues/61580), fixed by update to go 1.20.7: nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/246663). *[[PR](https://github.com/NixOS/nixpkgs/pull/247034), [PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | | [CVE-2023-3817](https://nvd.nist.gov/vuln/detail/CVE-2023-3817) | openssl | 5.3 | 3.0.9 | 3.1.0 | 3.2.0 | openssl LTS release 3.0.10 fixes the issue, nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/246579). *[[PR](https://github.com/NixOS/nixpkgs/pull/247537), [PR](https://github.com/NixOS/nixpkgs/pull/248715)]* | | [CVE-2023-2975](https://nvd.nist.gov/vuln/detail/CVE-2023-2975) | openssl | 5.3 | 3.0.9 | 3.1.0 | 3.2.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/243625), [PR](https://github.com/NixOS/nixpkgs/pull/243938), [PR](https://github.com/NixOS/nixpkgs/pull/247537), [PR](https://github.com/NixOS/nixpkgs/pull/248715)]* | +| [GHSA-qqvq-6xgj-jw8g](https://osv.dev/GHSA-qqvq-6xgj-jw8g) | electron | | 25.1.1 | 26.2.4 | 26.3.0 | | | [GHSA-j7hp-h8jx-5ppr](https://osv.dev/GHSA-j7hp-h8jx-5ppr) | electron | | 25.1.1 | 26.2.4 | 26.3.0 | | | [GHSA-7x97-j373-85x5](https://osv.dev/GHSA-7x97-j373-85x5) | electron | | 25.1.1 | 26.2.4 | 26.3.0 | Nixpkgs fix PR: [link](https://github.com/NixOS/nixpkgs/pull/251189). | | [OSV-2023-101](https://osv.dev/OSV-2023-101) | qemu | | 8.0.0 | 8.1.1 | 8.1.1 | Fixed in qemu 8.0.4: [link](https://github.com/NixOS/nixpkgs/pull/248659). | @@ -95,9 +96,10 @@ Following table lists vulnerabilities currently impacting the Ghaf target that h Consider [whitelisting](../../manual_analysis.csv) possible false positives based on manual analysis, or - if determined valid - help nixpkgs community fix the following issues in nixpkgs: -| vuln_id | package | severity | version_local | nix_unstable | upstream | comment | -|-------------------------------------------------------------------|-----------|------------|-----------------|----------------|------------|------------------------------------------------------------------------------------------------------------| -| [CVE-2023-44488](https://nvd.nist.gov/vuln/detail/CVE-2023-44488) | libvpx | 7.5 | 1.13.0 | 1.13.0 | 1.13.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/258295), [PR](https://github.com/NixOS/nixpkgs/pull/258350)]* | +| vuln_id | package | severity | version_local | nix_unstable | upstream | comment | +|-----------------------------------------------------------------|-----------|------------|-----------------|----------------|------------|-----------| +| [CVE-2023-5344](https://nvd.nist.gov/vuln/detail/CVE-2023-5344) | vim | 7.5 | 9.0.1441 | 9.0.1897 | 9.0.1976 | | +| [GHSA-qqvq-6xgj-jw8g](https://osv.dev/GHSA-qqvq-6xgj-jw8g) | electron | | 25.1.1 | 26.2.4 | 26.3.0 | | @@ -131,10 +133,11 @@ Consider [whitelisting](../../manual_analysis.csv) possible false positives base | [CVE-2023-2610](https://nvd.nist.gov/vuln/detail/CVE-2023-2610) | vim | 7.8 | 9.0.1441 | 9.0.1897 | 9.0.1976 | Backport nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/254666) to 23.05 once it's merged to unstable/staging. *[[PR](https://github.com/NixOS/nixpkgs/pull/254666)]* | | [CVE-2023-1386](https://nvd.nist.gov/vuln/detail/CVE-2023-1386) | qemu | 7.8 | 8.0.0 | 8.1.1 | 8.1.1 | Revisit when fixed upstream: [link](https://github.com/v9fs/linux/issues/29). | | [CVE-2023-44488](https://nvd.nist.gov/vuln/detail/CVE-2023-44488) | libvpx | 7.5 | 1.13.0 | 1.13.0 | 1.13.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/258295), [PR](https://github.com/NixOS/nixpkgs/pull/258350)]* | -| [CVE-2023-39533](https://nvd.nist.gov/vuln/detail/CVE-2023-39533) | go | 7.5 | 1.20.4 | 1.21.1 | 1.21.1 | It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 ([link](https://github.com/NixOS/nixpkgs/pull/246663)) is in Ghaf, this issue should no longer be included in the reports. *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | -| [CVE-2023-39533](https://nvd.nist.gov/vuln/detail/CVE-2023-39533) | go | 7.5 | 1.17.13-linux-am | 1.21.1 | 1.21.1 | It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 ([link](https://github.com/NixOS/nixpkgs/pull/246663)) is in Ghaf, this issue should no longer be included in the reports. *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | +| [CVE-2023-39533](https://nvd.nist.gov/vuln/detail/CVE-2023-39533) | go | 7.5 | 1.20.4 | 1.21.1 | 1.21.2 | It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 ([link](https://github.com/NixOS/nixpkgs/pull/246663)) is in Ghaf, this issue should no longer be included in the reports. *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | +| [CVE-2023-39533](https://nvd.nist.gov/vuln/detail/CVE-2023-39533) | go | 7.5 | 1.17.13-linux-am | 1.21.1 | 1.21.2 | It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 ([link](https://github.com/NixOS/nixpkgs/pull/246663)) is in Ghaf, this issue should no longer be included in the reports. *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | | [CVE-2023-38039](https://nvd.nist.gov/vuln/detail/CVE-2023-38039) | curl | 7.5 | 8.1.1 | 8.3.0 | 8.3.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/254962), [PR](https://github.com/NixOS/nixpkgs/pull/254963)]* | | [CVE-2023-35790](https://nvd.nist.gov/vuln/detail/CVE-2023-35790) | libjxl | 7.5 | 0.8.1 | 0.8.2 | 0.8.2 | *[[PR](https://github.com/NixOS/nixpkgs/pull/237913), [PR](https://github.com/NixOS/nixpkgs/pull/238274)]* | +| [CVE-2023-5344](https://nvd.nist.gov/vuln/detail/CVE-2023-5344) | vim | 7.5 | 9.0.1441 | 9.0.1897 | 9.0.1976 | | | [CVE-2023-5156](https://nvd.nist.gov/vuln/detail/CVE-2023-5156) | glibc | 7.5 | 2.37-8 | 2.37-8 | 2.38 | | | [CVE-2023-4236](https://nvd.nist.gov/vuln/detail/CVE-2023-4236) | bind | 7.5 | 9.18.14 | 9.18.19 | 9.18.19 | *[[PR](https://github.com/NixOS/nixpkgs/pull/256396), [PR](https://github.com/NixOS/nixpkgs/pull/256469)]* | | [CVE-2023-3354](https://nvd.nist.gov/vuln/detail/CVE-2023-3354) | qemu | 7.5 | 8.0.0 | 8.1.1 | 8.1.1 | Fixed in 8.0.4: [link](https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/251036). *[[PR](https://github.com/NixOS/nixpkgs/pull/248659)]* | @@ -157,10 +160,10 @@ Consider [whitelisting](../../manual_analysis.csv) possible false positives base | [CVE-2023-3255](https://nvd.nist.gov/vuln/detail/CVE-2023-3255) | qemu | 6.5 | 8.0.0 | 8.1.1 | 8.1.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/248659), [PR](https://github.com/NixOS/nixpkgs/pull/256632)]* | | [CVE-2023-3180](https://nvd.nist.gov/vuln/detail/CVE-2023-3180) | qemu | 6.5 | 8.0.0 | 8.1.1 | 8.1.1 | Fixed in 8.0.4: [link](https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/251036). *[[PR](https://github.com/NixOS/nixpkgs/pull/248659)]* | | [CVE-2023-3019](https://nvd.nist.gov/vuln/detail/CVE-2023-3019) | qemu | 6.5 | 8.0.0 | 8.1.1 | 8.1.1 | Revisit when fixed upstream: [link](https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html). | -| [CVE-2023-39319](https://nvd.nist.gov/vuln/detail/CVE-2023-39319) | go | 6.1 | 1.20.4 | 1.21.1 | 1.21.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | -| [CVE-2023-39319](https://nvd.nist.gov/vuln/detail/CVE-2023-39319) | go | 6.1 | 1.17.13-linux-am | 1.21.1 | 1.21.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | -| [CVE-2023-39318](https://nvd.nist.gov/vuln/detail/CVE-2023-39318) | go | 6.1 | 1.20.4 | 1.21.1 | 1.21.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | -| [CVE-2023-39318](https://nvd.nist.gov/vuln/detail/CVE-2023-39318) | go | 6.1 | 1.17.13-linux-am | 1.21.1 | 1.21.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | +| [CVE-2023-39319](https://nvd.nist.gov/vuln/detail/CVE-2023-39319) | go | 6.1 | 1.20.4 | 1.21.1 | 1.21.2 | *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | +| [CVE-2023-39319](https://nvd.nist.gov/vuln/detail/CVE-2023-39319) | go | 6.1 | 1.17.13-linux-am | 1.21.1 | 1.21.2 | *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | +| [CVE-2023-39318](https://nvd.nist.gov/vuln/detail/CVE-2023-39318) | go | 6.1 | 1.20.4 | 1.21.1 | 1.21.2 | *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | +| [CVE-2023-39318](https://nvd.nist.gov/vuln/detail/CVE-2023-39318) | go | 6.1 | 1.17.13-linux-am | 1.21.1 | 1.21.2 | *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | | [CVE-2023-1916](https://nvd.nist.gov/vuln/detail/CVE-2023-1916) | libtiff | 6.1 | 4.5.0 | 4.5.1 | 4.6.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/239544), [PR](https://github.com/NixOS/nixpkgs/pull/239595)]* | | [CVE-2023-0330](https://nvd.nist.gov/vuln/detail/CVE-2023-0330) | qemu | 6.0 | 8.0.0 | 8.1.1 | 8.1.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/256632)]* | | [CVE-2023-3301](https://nvd.nist.gov/vuln/detail/CVE-2023-3301) | qemu | 5.6 | 8.0.0 | 8.1.1 | 8.1.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/244827), [PR](https://github.com/NixOS/nixpkgs/pull/256632)]* | @@ -184,12 +187,13 @@ Consider [whitelisting](../../manual_analysis.csv) possible false positives base | [CVE-2020-18781](https://nvd.nist.gov/vuln/detail/CVE-2020-18781) | audiofile | 5.5 | 0.3.6 | 0.3.6 | 0.3.6 | | | [CVE-2020-2136](https://nvd.nist.gov/vuln/detail/CVE-2020-2136) | git | 5.4 | 2.40.1 | 2.42.0 | 2.42.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/82872), [PR](https://github.com/NixOS/nixpkgs/pull/84664)]* | | [CVE-2023-30571](https://nvd.nist.gov/vuln/detail/CVE-2023-30571) | libarchive | 5.3 | 3.6.2 | 3.6.2 | 3.7.2 | No upstream fix available, see: [link](https://github.com/libarchive/libarchive/issues/1876). *[[PR](https://github.com/NixOS/nixpkgs/pull/244713), [PR](https://github.com/NixOS/nixpkgs/pull/256930)]* | -| [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) | go | 5.3 | 1.20.4 | 1.21.1 | 1.21.1 | See: [link](https://github.com/golang/go/issues/61580), fixed by update to go 1.20.7: nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/246663). *[[PR](https://github.com/NixOS/nixpkgs/pull/247034), [PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | -| [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) | go | 5.3 | 1.17.13-linux-am | 1.21.1 | 1.21.1 | See: [link](https://github.com/golang/go/issues/61580), fixed by update to go 1.20.7: nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/246663). *[[PR](https://github.com/NixOS/nixpkgs/pull/247034), [PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | +| [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) | go | 5.3 | 1.20.4 | 1.21.1 | 1.21.2 | See: [link](https://github.com/golang/go/issues/61580), fixed by update to go 1.20.7: nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/246663). *[[PR](https://github.com/NixOS/nixpkgs/pull/247034), [PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | +| [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) | go | 5.3 | 1.17.13-linux-am | 1.21.1 | 1.21.2 | See: [link](https://github.com/golang/go/issues/61580), fixed by update to go 1.20.7: nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/246663). *[[PR](https://github.com/NixOS/nixpkgs/pull/247034), [PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | | [CVE-2023-3817](https://nvd.nist.gov/vuln/detail/CVE-2023-3817) | openssl | 5.3 | 3.0.9 | 3.1.0 | 3.2.0 | openssl LTS release 3.0.10 fixes the issue, nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/246579). *[[PR](https://github.com/NixOS/nixpkgs/pull/247537), [PR](https://github.com/NixOS/nixpkgs/pull/248715)]* | | [CVE-2023-2975](https://nvd.nist.gov/vuln/detail/CVE-2023-2975) | openssl | 5.3 | 3.0.9 | 3.1.0 | 3.2.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/243625), [PR](https://github.com/NixOS/nixpkgs/pull/243938), [PR](https://github.com/NixOS/nixpkgs/pull/247537), [PR](https://github.com/NixOS/nixpkgs/pull/248715)]* | | [CVE-2023-4039](https://nvd.nist.gov/vuln/detail/CVE-2023-4039) | gcc | 4.8 | 12.2.0 | 4.6.4 | 13.2.0 | | -| [CVE-2023-29383](https://nvd.nist.gov/vuln/detail/CVE-2023-29383) | shadow | 3.3 | 4.13 | 4.14.0 | 4.14.0 | Pending merge for nixpkgs master PR: [link](https://github.com/NixOS/nixpkgs/pull/233924). TODO: consider taking the upstream version update to 4.14 instead: [link](https://github.com/shadow-maint/shadow/releases). *[[PR](https://github.com/NixOS/nixpkgs/pull/254143)]* | +| [CVE-2023-29383](https://nvd.nist.gov/vuln/detail/CVE-2023-29383) | shadow | 3.3 | 4.13 | 4.14.0 | 4.14.1 | Pending merge for nixpkgs master PR: [link](https://github.com/NixOS/nixpkgs/pull/233924). TODO: consider taking the upstream version update to 4.14 instead: [link](https://github.com/shadow-maint/shadow/releases). *[[PR](https://github.com/NixOS/nixpkgs/pull/254143)]* | +| [GHSA-qqvq-6xgj-jw8g](https://osv.dev/GHSA-qqvq-6xgj-jw8g) | electron | | 25.1.1 | 26.2.4 | 26.3.0 | | | [GHSA-j7hp-h8jx-5ppr](https://osv.dev/GHSA-j7hp-h8jx-5ppr) | electron | | 25.1.1 | 26.2.4 | 26.3.0 | | | [GHSA-7x97-j373-85x5](https://osv.dev/GHSA-7x97-j373-85x5) | electron | | 25.1.1 | 26.2.4 | 26.3.0 | Nixpkgs fix PR: [link](https://github.com/NixOS/nixpkgs/pull/251189). | | [GHSA-w596-4wvx-j9j6](https://osv.dev/GHSA-w596-4wvx-j9j6) | py | | 1.11.0 | 1.11.0 | 1.11.0 | | diff --git a/reports/main/data.csv b/reports/main/data.csv index 13ec32c..137d5ee 100644 --- a/reports/main/data.csv +++ b/reports/main/data.csv @@ -1,4 +1,5 @@ "target","flakeref","pintype","vuln_id","url","package","severity","version_local","version_nixpkgs","version_upstream","package_repology","sortcol","whitelist","whitelist_comment","classify","nixpkgs_pr" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","GHSA-qqvq-6xgj-jw8g","https://osv.dev/GHSA-qqvq-6xgj-jw8g","electron","","26.2.1","26.2.4","26.3.0","electron","2023A1696464000","False","","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","GHSA-6898-wx94-8jq8","https://osv.dev/GHSA-6898-wx94-8jq8","libnotify","","0.8.2","","","","2023A1694131200","True","Incorrect package: Issue refers node-libnotify https://github.com/mytrile/node-libnotify, whereas nixpkgs refers gnome-libnotify https://gitlab.gnome.org/GNOME/libnotify.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","GHSA-wrrj-h57r-vx9p","https://osv.dev/GHSA-wrrj-h57r-vx9p","cargo","","1.69.0","","","","2023A1692835200","True","Duplicate to CVE-2023-40030.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","GHSA-w596-4wvx-j9j6","https://osv.dev/GHSA-w596-4wvx-j9j6","py","","1.11.0","1.11.0","1.11.0","python:py","2023A1691452800","False","","err_not_vulnerable_based_on_repology","" @@ -6,9 +7,9 @@ https://github.com/NixOS/nixpkgs/pull/258350" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-41330","https://nvd.nist.gov/vuln/detail/CVE-2023-41330","snappy","9.8","1.1.10","","","","2023A0000041330","True","Incorrect package: Issue concerns snappy php library: https://github.com/KnpLabs/snappy, whereas, nixpkgs ""snappy"" refers snappy compression library: https://google.github.io/snappy/. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-39742","https://nvd.nist.gov/vuln/detail/CVE-2023-39742","giflib","5.5","5.2.1","5.2.1","5.2.1","giflib","2023A0000039742","False","","fix_not_available","" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","7.5","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-39319","https://nvd.nist.gov/vuln/detail/CVE-2023-39319","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000039319","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-39318","https://nvd.nist.gov/vuln/detail/CVE-2023-39318","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000039318","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","7.5","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.2","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-39319","https://nvd.nist.gov/vuln/detail/CVE-2023-39319","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.2","go","2023A0000039319","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-39318","https://nvd.nist.gov/vuln/detail/CVE-2023-39318","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.2","go","2023A0000039318","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-38858","https://nvd.nist.gov/vuln/detail/CVE-2023-38858","faad2","6.5","2.10.1","2.10.1","2.10.1","faad2","2023A0000038858","False","","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-38857","https://nvd.nist.gov/vuln/detail/CVE-2023-38857","faad2","5.5","2.10.1","2.10.1","2.10.1","faad2","2023A0000038857","False","","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-38039","https://nvd.nist.gov/vuln/detail/CVE-2023-38039","curl","7.5","8.1.1","8.3.0","8.3.0","curl","2023A0000038039","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254962 @@ -29,7 +30,7 @@ https://github.com/NixOS/nixpkgs/pull/256402" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-30571","https://nvd.nist.gov/vuln/detail/CVE-2023-30571","libarchive","5.3","3.6.2","3.6.2","3.7.2","libarchive","2023A0000030571","False","No upstream fix available, see: https://github.com/libarchive/libarchive/issues/1876.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/244713 https://github.com/NixOS/nixpkgs/pull/256930" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-30402","https://nvd.nist.gov/vuln/detail/CVE-2023-30402","yasm","5.5","1.3.0","","","","2023A0000030402","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29409","https://nvd.nist.gov/vuln/detail/CVE-2023-29409","go","5.3","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000029409","False","See: https://github.com/golang/go/issues/61580, fixed by update to go 1.20.7: nixpkgs PR https://github.com/NixOS/nixpkgs/pull/246663.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/247034 +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29409","https://nvd.nist.gov/vuln/detail/CVE-2023-29409","go","5.3","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.2","go","2023A0000029409","False","See: https://github.com/golang/go/issues/61580, fixed by update to go 1.20.7: nixpkgs PR https://github.com/NixOS/nixpkgs/pull/246663.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/247034 https://github.com/NixOS/nixpkgs/pull/253738" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29406","https://nvd.nist.gov/vuln/detail/CVE-2023-29406","go","6.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000029406","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29405","https://nvd.nist.gov/vuln/detail/CVE-2023-29405","go","9.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029405","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" @@ -37,7 +38,8 @@ https://github.com/NixOS/nixpkgs/pull/253738" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29403","https://nvd.nist.gov/vuln/detail/CVE-2023-29403","go","7.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029403","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29402","https://nvd.nist.gov/vuln/detail/CVE-2023-29402","go","9.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029402","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29400","https://nvd.nist.gov/vuln/detail/CVE-2023-29400","go","7.3","1.17.13-linux-amd64-bootstrap","","","","2023A0000029400","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","3.3","4.13","4.14.0","4.14.0","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254143" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","3.3","4.13","4.14.0","4.14.1","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254143" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-28450","https://nvd.nist.gov/vuln/detail/CVE-2023-28450","dnsmasq","7.5","2.89","2.89","2.89","dnsmasq","2023A0000028450","False","","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-28322","https://nvd.nist.gov/vuln/detail/CVE-2023-28322","curl","3.7","0.4.44","","","","2023A0000028322","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/232531 https://github.com/NixOS/nixpkgs/pull/232535" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-28321","https://nvd.nist.gov/vuln/detail/CVE-2023-28321","curl","5.9","0.4.44","","","","2023A0000028321","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/232531 @@ -57,6 +59,7 @@ https://github.com/NixOS/nixpkgs/pull/232535" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-24536","https://nvd.nist.gov/vuln/detail/CVE-2023-24536","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000024536","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-24534","https://nvd.nist.gov/vuln/detail/CVE-2023-24534","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000024534","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-24532","https://nvd.nist.gov/vuln/detail/CVE-2023-24532","go","5.3","1.17.13-linux-amd64-bootstrap","","","","2023A0000024532","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-5344","https://nvd.nist.gov/vuln/detail/CVE-2023-5344","vim","7.5","9.0.1441","9.0.1897","9.0.1976","vim","2023A0000005344","False","","fix_update_to_version_upstream","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-5156","https://nvd.nist.gov/vuln/detail/CVE-2023-5156","glibc","7.5","2.37-8","2.37-8","2.38","glibc","2023A0000005156","False","","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-4807","https://nvd.nist.gov/vuln/detail/CVE-2023-4807","openssl","7.8","3.0.10","3.0.10","3.1.3","openssl","2023A0000004807","False","","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/254106 https://github.com/NixOS/nixpkgs/pull/254185 @@ -148,11 +151,14 @@ https://github.com/NixOS/nixpkgs/pull/170659" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-0856","https://nvd.nist.gov/vuln/detail/CVE-2022-0856","libcaca","6.5","0.99.beta20","","","","2022A0000000856","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-842","https://osv.dev/OSV-2022-842","wolfssl","","5.5.4","5.6.3","5.6.3","wolfssl","2022A0000000842","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-819","https://osv.dev/OSV-2022-819","libraw","","0.21.1","0.21.1","0.21.1","libraw","2022A0000000819","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-785","https://osv.dev/OSV-2022-785","dnsmasq","","2.89","2.89","2.89","dnsmasq","2022A0000000785","False","","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-725","https://osv.dev/OSV-2022-725","libjxl","","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000725","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-608","https://osv.dev/OSV-2022-608","libjxl","","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000608","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-581","https://osv.dev/OSV-2022-581","qemu","","8.0.5","8.1.1","8.1.1","qemu","2022A0000000581","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-572","https://osv.dev/OSV-2022-572","dnsmasq","","2.89","2.89","2.89","dnsmasq","2022A0000000572","False","","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-416","https://osv.dev/OSV-2022-416","openjpeg","","2.5.0","","","","2022A0000000416","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47500#c2.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-394","https://osv.dev/OSV-2022-394","opencv","","4.7.0","4.7.0","4.8.1","opencv","2022A0000000394","False","No attention from upstream: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47190.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-312","https://osv.dev/OSV-2022-312","dnsmasq","","2.89","2.89","2.89","dnsmasq","2022A0000000312","False","","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-193","https://osv.dev/OSV-2022-193","w3m","","0.5.3+git20230121","0.5.3+git20230121","0.5.3+git20230121","w3m","2022A0000000193","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-183","https://osv.dev/OSV-2022-183","binutils","","2.40","","","","2022A0000000183","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44864#c2.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","GHSA-mc7w-4cjf-c973","https://osv.dev/GHSA-mc7w-4cjf-c973","opencv","","4.7.0","","","","2021A1633564800","True","Incorrect package: Issue refers node-opencv, whereas, nixpkgs refers opencv https://github.com/opencv/opencv.","err_missing_repology_version","" @@ -367,9 +373,9 @@ https://github.com/NixOS/nixpkgs/pull/84664" https://github.com/NixOS/nixpkgs/pull/258350" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-41330","https://nvd.nist.gov/vuln/detail/CVE-2023-41330","snappy","9.8","1.1.10","","","","2023A0000041330","True","Incorrect package: Issue concerns snappy php library: https://github.com/KnpLabs/snappy, whereas, nixpkgs ""snappy"" refers snappy compression library: https://google.github.io/snappy/. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-39742","https://nvd.nist.gov/vuln/detail/CVE-2023-39742","giflib","5.5","5.2.1","5.2.1","5.2.1","giflib","2023A0000039742","False","","fix_not_available","" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","7.5","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-39319","https://nvd.nist.gov/vuln/detail/CVE-2023-39319","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000039319","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-39318","https://nvd.nist.gov/vuln/detail/CVE-2023-39318","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000039318","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","7.5","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.2","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-39319","https://nvd.nist.gov/vuln/detail/CVE-2023-39319","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.2","go","2023A0000039319","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-39318","https://nvd.nist.gov/vuln/detail/CVE-2023-39318","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.2","go","2023A0000039318","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-38858","https://nvd.nist.gov/vuln/detail/CVE-2023-38858","faad2","6.5","2.10.1","2.10.1","2.10.1","faad2","2023A0000038858","False","","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-38857","https://nvd.nist.gov/vuln/detail/CVE-2023-38857","faad2","5.5","2.10.1","2.10.1","2.10.1","faad2","2023A0000038857","False","","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-38039","https://nvd.nist.gov/vuln/detail/CVE-2023-38039","curl","7.5","8.1.1","8.3.0","8.3.0","curl","2023A0000038039","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254962 @@ -390,7 +396,7 @@ https://github.com/NixOS/nixpkgs/pull/256402" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-30571","https://nvd.nist.gov/vuln/detail/CVE-2023-30571","libarchive","5.3","3.6.2","3.6.2","3.7.2","libarchive","2023A0000030571","False","No upstream fix available, see: https://github.com/libarchive/libarchive/issues/1876.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/244713 https://github.com/NixOS/nixpkgs/pull/256930" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-30402","https://nvd.nist.gov/vuln/detail/CVE-2023-30402","yasm","5.5","1.3.0","","","","2023A0000030402","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-29409","https://nvd.nist.gov/vuln/detail/CVE-2023-29409","go","5.3","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000029409","False","See: https://github.com/golang/go/issues/61580, fixed by update to go 1.20.7: nixpkgs PR https://github.com/NixOS/nixpkgs/pull/246663.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/247034 +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-29409","https://nvd.nist.gov/vuln/detail/CVE-2023-29409","go","5.3","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.2","go","2023A0000029409","False","See: https://github.com/golang/go/issues/61580, fixed by update to go 1.20.7: nixpkgs PR https://github.com/NixOS/nixpkgs/pull/246663.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/247034 https://github.com/NixOS/nixpkgs/pull/253738" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-29406","https://nvd.nist.gov/vuln/detail/CVE-2023-29406","go","6.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000029406","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-29405","https://nvd.nist.gov/vuln/detail/CVE-2023-29405","go","9.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029405","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" @@ -398,7 +404,8 @@ https://github.com/NixOS/nixpkgs/pull/253738" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-29403","https://nvd.nist.gov/vuln/detail/CVE-2023-29403","go","7.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029403","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-29402","https://nvd.nist.gov/vuln/detail/CVE-2023-29402","go","9.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029402","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-29400","https://nvd.nist.gov/vuln/detail/CVE-2023-29400","go","7.3","1.17.13-linux-amd64-bootstrap","","","","2023A0000029400","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","3.3","4.13","4.14.0","4.14.0","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254143" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","3.3","4.13","4.14.0","4.14.1","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254143" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-28450","https://nvd.nist.gov/vuln/detail/CVE-2023-28450","dnsmasq","7.5","2.89","2.89","2.89","dnsmasq","2023A0000028450","False","","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-28322","https://nvd.nist.gov/vuln/detail/CVE-2023-28322","curl","3.7","0.4.44","","","","2023A0000028322","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/232531 https://github.com/NixOS/nixpkgs/pull/232535" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-28321","https://nvd.nist.gov/vuln/detail/CVE-2023-28321","curl","5.9","0.4.44","","","","2023A0000028321","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/232531 @@ -418,6 +425,7 @@ https://github.com/NixOS/nixpkgs/pull/232535" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-24536","https://nvd.nist.gov/vuln/detail/CVE-2023-24536","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000024536","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-24534","https://nvd.nist.gov/vuln/detail/CVE-2023-24534","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000024534","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-24532","https://nvd.nist.gov/vuln/detail/CVE-2023-24532","go","5.3","1.17.13-linux-amd64-bootstrap","","","","2023A0000024532","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-5344","https://nvd.nist.gov/vuln/detail/CVE-2023-5344","vim","7.5","9.0.1441","9.0.1897","9.0.1976","vim","2023A0000005344","False","","fix_update_to_version_upstream","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-5156","https://nvd.nist.gov/vuln/detail/CVE-2023-5156","glibc","7.5","2.37-8","2.37-8","2.38","glibc","2023A0000005156","False","","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-4807","https://nvd.nist.gov/vuln/detail/CVE-2023-4807","openssl","7.8","3.0.10","3.0.10","3.1.3","openssl","2023A0000004807","False","","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/254106 https://github.com/NixOS/nixpkgs/pull/254185 @@ -509,11 +517,14 @@ https://github.com/NixOS/nixpkgs/pull/170659" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-0856","https://nvd.nist.gov/vuln/detail/CVE-2022-0856","libcaca","6.5","0.99.beta20","","","","2022A0000000856","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-842","https://osv.dev/OSV-2022-842","wolfssl","","5.5.4","5.6.3","5.6.3","wolfssl","2022A0000000842","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-819","https://osv.dev/OSV-2022-819","libraw","","0.21.1","0.21.1","0.21.1","libraw","2022A0000000819","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-785","https://osv.dev/OSV-2022-785","dnsmasq","","2.89","2.89","2.89","dnsmasq","2022A0000000785","False","","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-725","https://osv.dev/OSV-2022-725","libjxl","","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000725","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-608","https://osv.dev/OSV-2022-608","libjxl","","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000608","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-581","https://osv.dev/OSV-2022-581","qemu","","8.0.5","8.1.1","8.1.1","qemu","2022A0000000581","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-572","https://osv.dev/OSV-2022-572","dnsmasq","","2.89","2.89","2.89","dnsmasq","2022A0000000572","False","","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-416","https://osv.dev/OSV-2022-416","openjpeg","","2.5.0","","","","2022A0000000416","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47500#c2.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-394","https://osv.dev/OSV-2022-394","opencv","","4.7.0","4.7.0","4.8.1","opencv","2022A0000000394","False","No attention from upstream: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47190.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-312","https://osv.dev/OSV-2022-312","dnsmasq","","2.89","2.89","2.89","dnsmasq","2022A0000000312","False","","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-193","https://osv.dev/OSV-2022-193","w3m","","0.5.3+git20230121","0.5.3+git20230121","0.5.3+git20230121","w3m","2022A0000000193","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2022-183","https://osv.dev/OSV-2022-183","binutils","","2.40","","","","2022A0000000183","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44864#c2.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","GHSA-mc7w-4cjf-c973","https://osv.dev/GHSA-mc7w-4cjf-c973","opencv","","4.7.0","","","","2021A1633564800","True","Incorrect package: Issue refers node-opencv, whereas, nixpkgs refers opencv https://github.com/opencv/opencv.","err_missing_repology_version","" @@ -727,9 +738,9 @@ https://github.com/NixOS/nixpkgs/pull/84664" https://github.com/NixOS/nixpkgs/pull/258350" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-41330","https://nvd.nist.gov/vuln/detail/CVE-2023-41330","snappy","9.8","1.1.10","","","","2023A0000041330","True","Incorrect package: Issue concerns snappy php library: https://github.com/KnpLabs/snappy, whereas, nixpkgs ""snappy"" refers snappy compression library: https://google.github.io/snappy/. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-39742","https://nvd.nist.gov/vuln/detail/CVE-2023-39742","giflib","5.5","5.2.1","5.2.1","5.2.1","giflib","2023A0000039742","False","","fix_not_available","" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","7.5","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-39319","https://nvd.nist.gov/vuln/detail/CVE-2023-39319","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000039319","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-39318","https://nvd.nist.gov/vuln/detail/CVE-2023-39318","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000039318","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","7.5","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.2","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-39319","https://nvd.nist.gov/vuln/detail/CVE-2023-39319","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.2","go","2023A0000039319","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-39318","https://nvd.nist.gov/vuln/detail/CVE-2023-39318","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.2","go","2023A0000039318","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/253738" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-38858","https://nvd.nist.gov/vuln/detail/CVE-2023-38858","faad2","6.5","2.10.1","2.10.1","2.10.1","faad2","2023A0000038858","False","","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-38857","https://nvd.nist.gov/vuln/detail/CVE-2023-38857","faad2","5.5","2.10.1","2.10.1","2.10.1","faad2","2023A0000038857","False","","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-37769","https://nvd.nist.gov/vuln/detail/CVE-2023-37769","pixman","6.5","0.42.2","0.42.2","0.42.2","pixman","2023A0000037769","False","See: https://gitlab.freedesktop.org/pixman/pixman/-/issues/76: ""This somehow got assigned CVE-2023-37769, not sure why NVD keeps assigning CVEs like this. This is just a test executable"".","err_not_vulnerable_based_on_repology","" @@ -740,7 +751,7 @@ https://github.com/NixOS/nixpkgs/pull/258350" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-30571","https://nvd.nist.gov/vuln/detail/CVE-2023-30571","libarchive","5.3","3.6.2","3.6.2","3.7.2","libarchive","2023A0000030571","False","No upstream fix available, see: https://github.com/libarchive/libarchive/issues/1876.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/244713 https://github.com/NixOS/nixpkgs/pull/256930" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-30402","https://nvd.nist.gov/vuln/detail/CVE-2023-30402","yasm","5.5","1.3.0","","","","2023A0000030402","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-29409","https://nvd.nist.gov/vuln/detail/CVE-2023-29409","go","5.3","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.1","go","2023A0000029409","False","See: https://github.com/golang/go/issues/61580, fixed by update to go 1.20.7: nixpkgs PR https://github.com/NixOS/nixpkgs/pull/246663.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/247034 +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-29409","https://nvd.nist.gov/vuln/detail/CVE-2023-29409","go","5.3","1.17.13-linux-amd64-bootstrap","1.21.1","1.21.2","go","2023A0000029409","False","See: https://github.com/golang/go/issues/61580, fixed by update to go 1.20.7: nixpkgs PR https://github.com/NixOS/nixpkgs/pull/246663.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/247034 https://github.com/NixOS/nixpkgs/pull/253738" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-29406","https://nvd.nist.gov/vuln/detail/CVE-2023-29406","go","6.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000029406","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-29405","https://nvd.nist.gov/vuln/detail/CVE-2023-29405","go","9.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029405","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" @@ -748,6 +759,7 @@ https://github.com/NixOS/nixpkgs/pull/253738" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-29403","https://nvd.nist.gov/vuln/detail/CVE-2023-29403","go","7.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029403","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-29402","https://nvd.nist.gov/vuln/detail/CVE-2023-29402","go","9.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029402","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-29400","https://nvd.nist.gov/vuln/detail/CVE-2023-29400","go","7.3","1.17.13-linux-amd64-bootstrap","","","","2023A0000029400","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-28450","https://nvd.nist.gov/vuln/detail/CVE-2023-28450","dnsmasq","7.5","2.89","2.89","2.89","dnsmasq","2023A0000028450","False","","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-28322","https://nvd.nist.gov/vuln/detail/CVE-2023-28322","curl","3.7","0.4.44","","","","2023A0000028322","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/232531 https://github.com/NixOS/nixpkgs/pull/232535" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-28321","https://nvd.nist.gov/vuln/detail/CVE-2023-28321","curl","5.9","0.4.44","","","","2023A0000028321","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/232531 @@ -767,6 +779,7 @@ https://github.com/NixOS/nixpkgs/pull/232535" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-24536","https://nvd.nist.gov/vuln/detail/CVE-2023-24536","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000024536","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-24534","https://nvd.nist.gov/vuln/detail/CVE-2023-24534","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000024534","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-24532","https://nvd.nist.gov/vuln/detail/CVE-2023-24532","go","5.3","1.17.13-linux-amd64-bootstrap","","","","2023A0000024532","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-5344","https://nvd.nist.gov/vuln/detail/CVE-2023-5344","vim","7.5","9.0.1897","9.0.1897","9.0.1976","vim","2023A0000005344","False","","fix_update_to_version_upstream","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-5156","https://nvd.nist.gov/vuln/detail/CVE-2023-5156","glibc","7.5","2.37-8","2.37-8","2.38","glibc","2023A0000005156","False","","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-4807","https://nvd.nist.gov/vuln/detail/CVE-2023-4807","openssl","7.8","3.0.10","3.0.10","3.1.3","openssl","2023A0000004807","False","","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/254106 https://github.com/NixOS/nixpkgs/pull/254185 @@ -846,13 +859,16 @@ https://github.com/NixOS/nixpkgs/pull/170659" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-859","https://osv.dev/OSV-2022-859","bluez","","5.66","5.66","5.70","bluez","2022A0000000859","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-842","https://osv.dev/OSV-2022-842","wolfssl","","5.6.3","5.6.3","5.6.3","wolfssl","2022A0000000842","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-819","https://osv.dev/OSV-2022-819","libraw","","0.21.1","0.21.1","0.21.1","libraw","2022A0000000819","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-785","https://osv.dev/OSV-2022-785","dnsmasq","","2.89","2.89","2.89","dnsmasq","2022A0000000785","False","","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-725","https://osv.dev/OSV-2022-725","libjxl","","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000725","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-608","https://osv.dev/OSV-2022-608","libjxl","","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000608","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-581","https://osv.dev/OSV-2022-581","qemu","","8.1.1","8.1.1","8.1.1","qemu","2022A0000000581","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-572","https://osv.dev/OSV-2022-572","dnsmasq","","2.89","2.89","2.89","dnsmasq","2022A0000000572","False","","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-530","https://osv.dev/OSV-2022-530","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2022A0000000530","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-519","https://osv.dev/OSV-2022-519","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2022A0000000519","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-462","https://osv.dev/OSV-2022-462","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2022A0000000462","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-416","https://osv.dev/OSV-2022-416","openjpeg","","2.5.0","","","","2022A0000000416","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47500#c2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-312","https://osv.dev/OSV-2022-312","dnsmasq","","2.89","2.89","2.89","dnsmasq","2022A0000000312","False","","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-193","https://osv.dev/OSV-2022-193","w3m","","0.5.3+git20230121","0.5.3+git20230121","0.5.3+git20230121","w3m","2022A0000000193","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-183","https://osv.dev/OSV-2022-183","binutils","","2.40","","","","2022A0000000183","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44864#c2.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-46312","https://nvd.nist.gov/vuln/detail/CVE-2021-46312","djvulibre","6.5","3.5.28","3.5.28","3.5.28","djvulibre","2021A0000046312","False","","fix_not_available","" @@ -1079,11 +1095,12 @@ https://github.com/NixOS/nixpkgs/pull/247547 https://github.com/NixOS/nixpkgs/pull/256402" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-30571","https://nvd.nist.gov/vuln/detail/CVE-2023-30571","libarchive","5.3","3.6.2","3.6.2","3.7.2","libarchive","2023A0000030571","False","No upstream fix available, see: https://github.com/libarchive/libarchive/issues/1876.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/244713 https://github.com/NixOS/nixpkgs/pull/256930" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","3.3","4.13","4.14.0","4.14.0","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254143" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","3.3","4.13","4.14.0","4.14.1","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254143" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-25588","https://nvd.nist.gov/vuln/detail/CVE-2023-25588","binutils","5.5","2.40","2.40","2.41","binutils","2023A0000025588","False","","fix_update_to_version_upstream","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-25586","https://nvd.nist.gov/vuln/detail/CVE-2023-25586","binutils","5.5","2.40","2.40","2.41","binutils","2023A0000025586","False","","fix_update_to_version_upstream","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-25585","https://nvd.nist.gov/vuln/detail/CVE-2023-25585","binutils","5.5","2.40","2.40","2.41","binutils","2023A0000025585","False","","fix_update_to_version_upstream","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-25584","https://nvd.nist.gov/vuln/detail/CVE-2023-25584","binutils","7.1","2.40","2.40","2.41","binutils","2023A0000025584","False","","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-5344","https://nvd.nist.gov/vuln/detail/CVE-2023-5344","vim","7.5","9.0.1441","9.0.1897","9.0.1976","vim","2023A0000005344","False","","fix_update_to_version_upstream","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-5156","https://nvd.nist.gov/vuln/detail/CVE-2023-5156","glibc","7.5","2.37-8","2.37-8","2.38","glibc","2023A0000005156","False","","fix_not_available","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-4807","https://nvd.nist.gov/vuln/detail/CVE-2023-4807","openssl","7.8","3.0.10","3.0.10","3.1.3","openssl","2023A0000004807","False","","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/254106 https://github.com/NixOS/nixpkgs/pull/254185 @@ -1155,11 +1172,12 @@ https://github.com/NixOS/nixpkgs/pull/247547 https://github.com/NixOS/nixpkgs/pull/256402" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-30571","https://nvd.nist.gov/vuln/detail/CVE-2023-30571","libarchive","5.3","3.6.2","3.6.2","3.7.2","libarchive","2023A0000030571","False","No upstream fix available, see: https://github.com/libarchive/libarchive/issues/1876.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/244713 https://github.com/NixOS/nixpkgs/pull/256930" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","3.3","4.13","4.14.0","4.14.0","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254143" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","3.3","4.13","4.14.0","4.14.1","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254143" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-25588","https://nvd.nist.gov/vuln/detail/CVE-2023-25588","binutils","5.5","2.40","2.40","2.41","binutils","2023A0000025588","False","","fix_update_to_version_upstream","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-25586","https://nvd.nist.gov/vuln/detail/CVE-2023-25586","binutils","5.5","2.40","2.40","2.41","binutils","2023A0000025586","False","","fix_update_to_version_upstream","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-25585","https://nvd.nist.gov/vuln/detail/CVE-2023-25585","binutils","5.5","2.40","2.40","2.41","binutils","2023A0000025585","False","","fix_update_to_version_upstream","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-25584","https://nvd.nist.gov/vuln/detail/CVE-2023-25584","binutils","7.1","2.40","2.40","2.41","binutils","2023A0000025584","False","","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-5344","https://nvd.nist.gov/vuln/detail/CVE-2023-5344","vim","7.5","9.0.1441","9.0.1897","9.0.1976","vim","2023A0000005344","False","","fix_update_to_version_upstream","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-5156","https://nvd.nist.gov/vuln/detail/CVE-2023-5156","glibc","7.5","2.37-8","2.37-8","2.38","glibc","2023A0000005156","False","","fix_not_available","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-4807","https://nvd.nist.gov/vuln/detail/CVE-2023-4807","openssl","7.8","3.0.10","3.0.10","3.1.3","openssl","2023A0000004807","False","","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/254106 https://github.com/NixOS/nixpkgs/pull/254185 @@ -1236,6 +1254,7 @@ https://github.com/NixOS/nixpkgs/pull/256930" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-25586","https://nvd.nist.gov/vuln/detail/CVE-2023-25586","binutils","5.5","2.40","2.40","2.41","binutils","2023A0000025586","False","","fix_update_to_version_upstream","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-25585","https://nvd.nist.gov/vuln/detail/CVE-2023-25585","binutils","5.5","2.40","2.40","2.41","binutils","2023A0000025585","False","","fix_update_to_version_upstream","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-25584","https://nvd.nist.gov/vuln/detail/CVE-2023-25584","binutils","7.1","2.40","2.40","2.41","binutils","2023A0000025584","False","","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-5344","https://nvd.nist.gov/vuln/detail/CVE-2023-5344","vim","7.5","9.0.1897","9.0.1897","9.0.1976","vim","2023A0000005344","False","","fix_update_to_version_upstream","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-5156","https://nvd.nist.gov/vuln/detail/CVE-2023-5156","glibc","7.5","2.37-8","2.37-8","2.38","glibc","2023A0000005156","False","","fix_not_available","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-4807","https://nvd.nist.gov/vuln/detail/CVE-2023-4807","openssl","7.8","3.0.10","3.0.10","3.1.3","openssl","2023A0000004807","False","","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/254106 https://github.com/NixOS/nixpkgs/pull/254185 diff --git a/reports/main/packages.riscv64-linux.microchip-icicle-kit-release.md b/reports/main/packages.riscv64-linux.microchip-icicle-kit-release.md index 6b62737..e2ee009 100644 --- a/reports/main/packages.riscv64-linux.microchip-icicle-kit-release.md +++ b/reports/main/packages.riscv64-linux.microchip-icicle-kit-release.md @@ -6,7 +6,7 @@ SPDX-License-Identifier: CC-BY-SA-4.0 # Vulnerability Report -This vulnerability report is generated for Ghaf target `github:tiiuae/ghaf?ref=main#packages.riscv64-linux.microchip-icicle-kit-release` revision https://github.com/tiiuae/ghaf/commit/362a388dc33238dd7630f620d2c1582f76140f53. The tables on this page include known vulnerabilities impacting buildtime or runtime dependencies of the given target. +This vulnerability report is generated for Ghaf target `github:tiiuae/ghaf?ref=main#packages.riscv64-linux.microchip-icicle-kit-release` revision https://github.com/tiiuae/ghaf/commit/b75a452fbd9529c0c43b6a89840fa7ef0a708f08. The tables on this page include known vulnerabilities impacting buildtime or runtime dependencies of the given target. This report is automatically generated as specified on the [Vulnerability Scan](../../.github/workflows/vulnerability-scan.yml) GitHub action workflow. It uses the tooling from [sbomnix](https://github.com/tiiuae/sbomnix) repository, such as [vulnxscan](https://github.com/tiiuae/sbomnix/tree/main/scripts/vulnxscan), as well as the manual analysis results maintained in the [manual_analysis.csv](../../manual_analysis.csv) file. @@ -53,7 +53,7 @@ Consider [whitelisting](../../manual_analysis.csv) possible false positives base | [CVE-2023-38039](https://nvd.nist.gov/vuln/detail/CVE-2023-38039) | curl | 7.5 | 8.1.1 | 8.3.0 | 8.3.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/254962), [PR](https://github.com/NixOS/nixpkgs/pull/254963)]* | | [CVE-2023-2609](https://nvd.nist.gov/vuln/detail/CVE-2023-2609) | vim | 5.5 | 9.0.1441 | 9.0.1897 | 9.0.1976 | Backport nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/254666) to 23.05 once it's merged to unstable/staging. *[[PR](https://github.com/NixOS/nixpkgs/pull/254666)]* | | [CVE-2023-2426](https://nvd.nist.gov/vuln/detail/CVE-2023-2426) | vim | 5.5 | 9.0.1441 | 9.0.1897 | 9.0.1976 | Backport nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/254666) to 23.05 once it's merged to unstable/staging. *[[PR](https://github.com/NixOS/nixpkgs/pull/254666)]* | -| [CVE-2023-29383](https://nvd.nist.gov/vuln/detail/CVE-2023-29383) | shadow | 3.3 | 4.13 | 4.14.0 | 4.14.0 | Pending merge for nixpkgs master PR: [link](https://github.com/NixOS/nixpkgs/pull/233924). TODO: consider taking the upstream version update to 4.14 instead: [link](https://github.com/shadow-maint/shadow/releases). *[[PR](https://github.com/NixOS/nixpkgs/pull/254143)]* | +| [CVE-2023-29383](https://nvd.nist.gov/vuln/detail/CVE-2023-29383) | shadow | 3.3 | 4.13 | 4.14.0 | 4.14.1 | Pending merge for nixpkgs master PR: [link](https://github.com/NixOS/nixpkgs/pull/233924). TODO: consider taking the upstream version update to 4.14 instead: [link](https://github.com/shadow-maint/shadow/releases). *[[PR](https://github.com/NixOS/nixpkgs/pull/254143)]* | @@ -63,7 +63,11 @@ Following table lists vulnerabilities currently impacting the Ghaf target that h Consider [whitelisting](../../manual_analysis.csv) possible false positives based on manual analysis, or - if determined valid - help nixpkgs community fix the following issues in nixpkgs: -```No vulnerabilities``` + +| vuln_id | package | severity | version_local | nix_unstable | upstream | comment | +|-----------------------------------------------------------------|-----------|------------|-----------------|----------------|------------|-----------| +| [CVE-2023-5344](https://nvd.nist.gov/vuln/detail/CVE-2023-5344) | vim | 7.5 | 9.0.1441 | 9.0.1897 | 9.0.1976 | | + ## All Vulnerabilities Impacting Ghaf @@ -87,6 +91,7 @@ Consider [whitelisting](../../manual_analysis.csv) possible false positives base | [CVE-2023-4733](https://nvd.nist.gov/vuln/detail/CVE-2023-4733) | vim | 7.8 | 9.0.1441 | 9.0.1897 | 9.0.1976 | Backport nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/254666) to 23.05 once it's merged to unstable/staging. *[[PR](https://github.com/NixOS/nixpkgs/pull/254666)]* | | [CVE-2023-2610](https://nvd.nist.gov/vuln/detail/CVE-2023-2610) | vim | 7.8 | 9.0.1441 | 9.0.1897 | 9.0.1976 | Backport nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/254666) to 23.05 once it's merged to unstable/staging. *[[PR](https://github.com/NixOS/nixpkgs/pull/254666)]* | | [CVE-2023-38039](https://nvd.nist.gov/vuln/detail/CVE-2023-38039) | curl | 7.5 | 8.1.1 | 8.3.0 | 8.3.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/254962), [PR](https://github.com/NixOS/nixpkgs/pull/254963)]* | +| [CVE-2023-5344](https://nvd.nist.gov/vuln/detail/CVE-2023-5344) | vim | 7.5 | 9.0.1441 | 9.0.1897 | 9.0.1976 | | | [CVE-2023-5156](https://nvd.nist.gov/vuln/detail/CVE-2023-5156) | glibc | 7.5 | 2.37-8 | 2.37-8 | 2.38 | | | [CVE-2023-25584](https://nvd.nist.gov/vuln/detail/CVE-2023-25584) | binutils | 7.1 | 2.40 | 2.40 | 2.41 | | | [CVE-2023-4527](https://nvd.nist.gov/vuln/detail/CVE-2023-4527) | glibc | 6.5 | 2.37-8 | 2.37-8 | 2.38 | *[[PR](https://github.com/NixOS/nixpkgs/pull/256887)]* | @@ -100,7 +105,7 @@ Consider [whitelisting](../../manual_analysis.csv) possible false positives base | [CVE-2020-2136](https://nvd.nist.gov/vuln/detail/CVE-2020-2136) | git | 5.4 | 2.40.1 | 2.42.0 | 2.42.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/82872), [PR](https://github.com/NixOS/nixpkgs/pull/84664)]* | | [CVE-2023-30571](https://nvd.nist.gov/vuln/detail/CVE-2023-30571) | libarchive | 5.3 | 3.6.2 | 3.6.2 | 3.7.2 | No upstream fix available, see: [link](https://github.com/libarchive/libarchive/issues/1876). *[[PR](https://github.com/NixOS/nixpkgs/pull/244713), [PR](https://github.com/NixOS/nixpkgs/pull/256930)]* | | [CVE-2023-4039](https://nvd.nist.gov/vuln/detail/CVE-2023-4039) | gcc | 4.8 | 12.2.0 | 4.6.4 | 13.2.0 | | -| [CVE-2023-29383](https://nvd.nist.gov/vuln/detail/CVE-2023-29383) | shadow | 3.3 | 4.13 | 4.14.0 | 4.14.0 | Pending merge for nixpkgs master PR: [link](https://github.com/NixOS/nixpkgs/pull/233924). TODO: consider taking the upstream version update to 4.14 instead: [link](https://github.com/shadow-maint/shadow/releases). *[[PR](https://github.com/NixOS/nixpkgs/pull/254143)]* | +| [CVE-2023-29383](https://nvd.nist.gov/vuln/detail/CVE-2023-29383) | shadow | 3.3 | 4.13 | 4.14.0 | 4.14.1 | Pending merge for nixpkgs master PR: [link](https://github.com/NixOS/nixpkgs/pull/233924). TODO: consider taking the upstream version update to 4.14 instead: [link](https://github.com/shadow-maint/shadow/releases). *[[PR](https://github.com/NixOS/nixpkgs/pull/254143)]* | | [GHSA-w596-4wvx-j9j6](https://osv.dev/GHSA-w596-4wvx-j9j6) | py | | 1.11.0 | 1.11.0 | 1.11.0 | | | [OSV-2023-877](https://osv.dev/OSV-2023-877) | libbpf | | 1.2.0 | 1.2.2 | 1.2.2 | | | [OSV-2023-505](https://osv.dev/OSV-2023-505) | file | | 5.44 | 5.45 | 5.45 | Unclear if this is still valid. | diff --git a/reports/main/packages.x86_64-linux.generic-x86_64-release.md b/reports/main/packages.x86_64-linux.generic-x86_64-release.md index f74d66b..c65730e 100644 --- a/reports/main/packages.x86_64-linux.generic-x86_64-release.md +++ b/reports/main/packages.x86_64-linux.generic-x86_64-release.md @@ -6,7 +6,7 @@ SPDX-License-Identifier: CC-BY-SA-4.0 # Vulnerability Report -This vulnerability report is generated for Ghaf target `github:tiiuae/ghaf?ref=main#packages.x86_64-linux.generic-x86_64-release` revision https://github.com/tiiuae/ghaf/commit/362a388dc33238dd7630f620d2c1582f76140f53. The tables on this page include known vulnerabilities impacting buildtime or runtime dependencies of the given target. +This vulnerability report is generated for Ghaf target `github:tiiuae/ghaf?ref=main#packages.x86_64-linux.generic-x86_64-release` revision https://github.com/tiiuae/ghaf/commit/b75a452fbd9529c0c43b6a89840fa7ef0a708f08. The tables on this page include known vulnerabilities impacting buildtime or runtime dependencies of the given target. This report is automatically generated as specified on the [Vulnerability Scan](../../.github/workflows/vulnerability-scan.yml) GitHub action workflow. It uses the tooling from [sbomnix](https://github.com/tiiuae/sbomnix) repository, such as [vulnxscan](https://github.com/tiiuae/sbomnix/tree/main/scripts/vulnxscan), as well as the manual analysis results maintained in the [manual_analysis.csv](../../manual_analysis.csv) file. @@ -27,7 +27,11 @@ Following table lists vulnerabilities that have been fixed in the nixpkgs channe Update the target Ghaf [flake.lock](https://github.com/tiiuae/ghaf/blob/main/flake.lock) file to mitigate the following issues: -```No vulnerabilities``` + +| vuln_id | package | severity | version_local | nix_unstable | upstream | comment | +|------------------------------------------------------------|-----------|------------|-----------------|----------------|------------|-----------| +| [GHSA-qqvq-6xgj-jw8g](https://osv.dev/GHSA-qqvq-6xgj-jw8g) | electron | | 26.2.1 | 26.2.4 | 26.3.0 | | + ## Vulnerabilities Fixed in nix-unstable @@ -54,7 +58,7 @@ Consider [whitelisting](../../manual_analysis.csv) possible false positives base | [CVE-2023-38039](https://nvd.nist.gov/vuln/detail/CVE-2023-38039) | curl | 7.5 | 8.1.1 | 8.3.0 | 8.3.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/254962), [PR](https://github.com/NixOS/nixpkgs/pull/254963)]* | | [CVE-2023-2609](https://nvd.nist.gov/vuln/detail/CVE-2023-2609) | vim | 5.5 | 9.0.1441 | 9.0.1897 | 9.0.1976 | Backport nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/254666) to 23.05 once it's merged to unstable/staging. *[[PR](https://github.com/NixOS/nixpkgs/pull/254666)]* | | [CVE-2023-2426](https://nvd.nist.gov/vuln/detail/CVE-2023-2426) | vim | 5.5 | 9.0.1441 | 9.0.1897 | 9.0.1976 | Backport nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/254666) to 23.05 once it's merged to unstable/staging. *[[PR](https://github.com/NixOS/nixpkgs/pull/254666)]* | -| [CVE-2023-29383](https://nvd.nist.gov/vuln/detail/CVE-2023-29383) | shadow | 3.3 | 4.13 | 4.14.0 | 4.14.0 | Pending merge for nixpkgs master PR: [link](https://github.com/NixOS/nixpkgs/pull/233924). TODO: consider taking the upstream version update to 4.14 instead: [link](https://github.com/shadow-maint/shadow/releases). *[[PR](https://github.com/NixOS/nixpkgs/pull/254143)]* | +| [CVE-2023-29383](https://nvd.nist.gov/vuln/detail/CVE-2023-29383) | shadow | 3.3 | 4.13 | 4.14.0 | 4.14.1 | Pending merge for nixpkgs master PR: [link](https://github.com/NixOS/nixpkgs/pull/233924). TODO: consider taking the upstream version update to 4.14 instead: [link](https://github.com/shadow-maint/shadow/releases). *[[PR](https://github.com/NixOS/nixpkgs/pull/254143)]* | | [OSV-2023-80](https://osv.dev/OSV-2023-80) | libgit2 | | 1.6.4 | 1.7.1 | 1.7.1 | | | [OSV-2023-56](https://osv.dev/OSV-2023-56) | libgit2 | | 1.6.4 | 1.7.1 | 1.7.1 | | | [OSV-2022-394](https://osv.dev/OSV-2022-394) | opencv | | 4.7.0 | 4.7.0 | 4.8.1 | No attention from upstream: [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47190). | @@ -68,9 +72,14 @@ Following table lists vulnerabilities currently impacting the Ghaf target that h Consider [whitelisting](../../manual_analysis.csv) possible false positives based on manual analysis, or - if determined valid - help nixpkgs community fix the following issues in nixpkgs: -| vuln_id | package | severity | version_local | nix_unstable | upstream | comment | -|-------------------------------------------------------------------|-----------|------------|-----------------|----------------|------------|------------------------------------------------------------------------------------------------------------| -| [CVE-2023-44488](https://nvd.nist.gov/vuln/detail/CVE-2023-44488) | libvpx | 7.5 | 1.13.0 | 1.13.0 | 1.13.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/258295), [PR](https://github.com/NixOS/nixpkgs/pull/258350)]* | +| vuln_id | package | severity | version_local | nix_unstable | upstream | comment | +|-------------------------------------------------------------------|-----------|------------|-----------------|----------------|------------|-----------| +| [CVE-2023-28450](https://nvd.nist.gov/vuln/detail/CVE-2023-28450) | dnsmasq | 7.5 | 2.89 | 2.89 | 2.89 | | +| [CVE-2023-5344](https://nvd.nist.gov/vuln/detail/CVE-2023-5344) | vim | 7.5 | 9.0.1441 | 9.0.1897 | 9.0.1976 | | +| [GHSA-qqvq-6xgj-jw8g](https://osv.dev/GHSA-qqvq-6xgj-jw8g) | electron | | 26.2.1 | 26.2.4 | 26.3.0 | | +| [OSV-2022-785](https://osv.dev/OSV-2022-785) | dnsmasq | | 2.89 | 2.89 | 2.89 | | +| [OSV-2022-572](https://osv.dev/OSV-2022-572) | dnsmasq | | 2.89 | 2.89 | 2.89 | | +| [OSV-2022-312](https://osv.dev/OSV-2022-312) | dnsmasq | | 2.89 | 2.89 | 2.89 | | @@ -123,9 +132,11 @@ Consider [whitelisting](../../manual_analysis.csv) possible false positives base | [CVE-2014-9819](https://nvd.nist.gov/vuln/detail/CVE-2014-9819) | imagemagick | 7.8 | 7.1.1-18 | 7.1.1-18 | 7.1.1.19 | | | [CVE-2014-9817](https://nvd.nist.gov/vuln/detail/CVE-2014-9817) | imagemagick | 7.8 | 7.1.1-18 | 7.1.1-18 | 7.1.1.19 | | | [CVE-2023-44488](https://nvd.nist.gov/vuln/detail/CVE-2023-44488) | libvpx | 7.5 | 1.13.0 | 1.13.0 | 1.13.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/258295), [PR](https://github.com/NixOS/nixpkgs/pull/258350)]* | -| [CVE-2023-39533](https://nvd.nist.gov/vuln/detail/CVE-2023-39533) | go | 7.5 | 1.17.13-linux-am | 1.21.1 | 1.21.1 | It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 ([link](https://github.com/NixOS/nixpkgs/pull/246663)) is in Ghaf, this issue should no longer be included in the reports. *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | +| [CVE-2023-39533](https://nvd.nist.gov/vuln/detail/CVE-2023-39533) | go | 7.5 | 1.17.13-linux-am | 1.21.1 | 1.21.2 | It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 ([link](https://github.com/NixOS/nixpkgs/pull/246663)) is in Ghaf, this issue should no longer be included in the reports. *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | | [CVE-2023-38039](https://nvd.nist.gov/vuln/detail/CVE-2023-38039) | curl | 7.5 | 8.1.1 | 8.3.0 | 8.3.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/254962), [PR](https://github.com/NixOS/nixpkgs/pull/254963)]* | +| [CVE-2023-28450](https://nvd.nist.gov/vuln/detail/CVE-2023-28450) | dnsmasq | 7.5 | 2.89 | 2.89 | 2.89 | | | [CVE-2023-28319](https://nvd.nist.gov/vuln/detail/CVE-2023-28319) | curl | 7.5 | 0.4.44 | | | *[[PR](https://github.com/NixOS/nixpkgs/pull/232531)]* | +| [CVE-2023-5344](https://nvd.nist.gov/vuln/detail/CVE-2023-5344) | vim | 7.5 | 9.0.1441 | 9.0.1897 | 9.0.1976 | | | [CVE-2023-5156](https://nvd.nist.gov/vuln/detail/CVE-2023-5156) | glibc | 7.5 | 2.37-8 | 2.37-8 | 2.38 | | | [CVE-2023-3354](https://nvd.nist.gov/vuln/detail/CVE-2023-3354) | qemu | 7.5 | 8.0.5 | 8.1.1 | 8.1.1 | Fixed in 8.0.4: [link](https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/251036). *[[PR](https://github.com/NixOS/nixpkgs/pull/248659)]* | | [CVE-2022-43357](https://nvd.nist.gov/vuln/detail/CVE-2022-43357) | sassc | 7.5 | 3.6.2 | 3.6.2 | 3.6.2 | | @@ -176,8 +187,8 @@ Consider [whitelisting](../../manual_analysis.csv) possible false positives base | [CVE-2014-9907](https://nvd.nist.gov/vuln/detail/CVE-2014-9907) | imagemagick | 6.5 | 7.1.1-18 | 7.1.1-18 | 7.1.1.19 | | | [CVE-2014-9829](https://nvd.nist.gov/vuln/detail/CVE-2014-9829) | imagemagick | 6.5 | 7.1.1-18 | 7.1.1-18 | 7.1.1.19 | | | [CVE-2007-5967](https://nvd.nist.gov/vuln/detail/CVE-2007-5967) | firefox | 6.5 | 118.0 | 118.0.1 | 118.0.1 | | -| [CVE-2023-39319](https://nvd.nist.gov/vuln/detail/CVE-2023-39319) | go | 6.1 | 1.17.13-linux-am | 1.21.1 | 1.21.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | -| [CVE-2023-39318](https://nvd.nist.gov/vuln/detail/CVE-2023-39318) | go | 6.1 | 1.17.13-linux-am | 1.21.1 | 1.21.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | +| [CVE-2023-39319](https://nvd.nist.gov/vuln/detail/CVE-2023-39319) | go | 6.1 | 1.17.13-linux-am | 1.21.1 | 1.21.2 | *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | +| [CVE-2023-39318](https://nvd.nist.gov/vuln/detail/CVE-2023-39318) | go | 6.1 | 1.17.13-linux-am | 1.21.1 | 1.21.2 | *[[PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | | [CVE-2020-35669](https://nvd.nist.gov/vuln/detail/CVE-2020-35669) | http | 6.1 | 0.2.9 | 0.3-0 | 0.4 | | | [CVE-2023-28321](https://nvd.nist.gov/vuln/detail/CVE-2023-28321) | curl | 5.9 | 0.4.44 | | | *[[PR](https://github.com/NixOS/nixpkgs/pull/232531), [PR](https://github.com/NixOS/nixpkgs/pull/232535)]* | | [CVE-2023-28320](https://nvd.nist.gov/vuln/detail/CVE-2023-28320) | curl | 5.9 | 0.4.44 | | | *[[PR](https://github.com/NixOS/nixpkgs/pull/232531), [PR](https://github.com/NixOS/nixpkgs/pull/232535)]* | @@ -209,7 +220,7 @@ Consider [whitelisting](../../manual_analysis.csv) possible false positives base | [CVE-2020-2136](https://nvd.nist.gov/vuln/detail/CVE-2020-2136) | git | 5.4 | 2.40.1 | 2.42.0 | 2.42.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/82872), [PR](https://github.com/NixOS/nixpkgs/pull/84664)]* | | [CVE-2018-8024](https://nvd.nist.gov/vuln/detail/CVE-2018-8024) | firefox | 5.4 | 118.0 | 118.0.1 | 118.0.1 | | | [CVE-2023-30571](https://nvd.nist.gov/vuln/detail/CVE-2023-30571) | libarchive | 5.3 | 3.6.2 | 3.6.2 | 3.7.2 | No upstream fix available, see: [link](https://github.com/libarchive/libarchive/issues/1876). *[[PR](https://github.com/NixOS/nixpkgs/pull/244713), [PR](https://github.com/NixOS/nixpkgs/pull/256930)]* | -| [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) | go | 5.3 | 1.17.13-linux-am | 1.21.1 | 1.21.1 | See: [link](https://github.com/golang/go/issues/61580), fixed by update to go 1.20.7: nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/246663). *[[PR](https://github.com/NixOS/nixpkgs/pull/247034), [PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | +| [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) | go | 5.3 | 1.17.13-linux-am | 1.21.1 | 1.21.2 | See: [link](https://github.com/golang/go/issues/61580), fixed by update to go 1.20.7: nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/246663). *[[PR](https://github.com/NixOS/nixpkgs/pull/247034), [PR](https://github.com/NixOS/nixpkgs/pull/253738)]* | | [CVE-2016-7153](https://nvd.nist.gov/vuln/detail/CVE-2016-7153) | firefox | 5.3 | 118.0 | 118.0.1 | 118.0.1 | | | [CVE-2016-7152](https://nvd.nist.gov/vuln/detail/CVE-2016-7152) | firefox | 5.3 | 118.0 | 118.0.1 | 118.0.1 | | | [CVE-2023-4039](https://nvd.nist.gov/vuln/detail/CVE-2023-4039) | gcc | 4.8 | 12.2.0 | 4.6.4 | 13.2.0 | | @@ -217,7 +228,8 @@ Consider [whitelisting](../../manual_analysis.csv) possible false positives base | [CVE-2023-28322](https://nvd.nist.gov/vuln/detail/CVE-2023-28322) | curl | 3.7 | 0.4.44 | | | *[[PR](https://github.com/NixOS/nixpkgs/pull/232531), [PR](https://github.com/NixOS/nixpkgs/pull/232535)]* | | [CVE-2022-35252](https://nvd.nist.gov/vuln/detail/CVE-2022-35252) | curl | 3.7 | 0.4.44 | | | *[[PR](https://github.com/NixOS/nixpkgs/pull/189083), [PR](https://github.com/NixOS/nixpkgs/pull/198730)]* | | [CVE-2020-8284](https://nvd.nist.gov/vuln/detail/CVE-2020-8284) | curl | 3.7 | 0.4.44 | | | *[[PR](https://github.com/NixOS/nixpkgs/pull/106452)]* | -| [CVE-2023-29383](https://nvd.nist.gov/vuln/detail/CVE-2023-29383) | shadow | 3.3 | 4.13 | 4.14.0 | 4.14.0 | Pending merge for nixpkgs master PR: [link](https://github.com/NixOS/nixpkgs/pull/233924). TODO: consider taking the upstream version update to 4.14 instead: [link](https://github.com/shadow-maint/shadow/releases). *[[PR](https://github.com/NixOS/nixpkgs/pull/254143)]* | +| [CVE-2023-29383](https://nvd.nist.gov/vuln/detail/CVE-2023-29383) | shadow | 3.3 | 4.13 | 4.14.0 | 4.14.1 | Pending merge for nixpkgs master PR: [link](https://github.com/NixOS/nixpkgs/pull/233924). TODO: consider taking the upstream version update to 4.14 instead: [link](https://github.com/shadow-maint/shadow/releases). *[[PR](https://github.com/NixOS/nixpkgs/pull/254143)]* | +| [GHSA-qqvq-6xgj-jw8g](https://osv.dev/GHSA-qqvq-6xgj-jw8g) | electron | | 26.2.1 | 26.2.4 | 26.3.0 | | | [GHSA-w596-4wvx-j9j6](https://osv.dev/GHSA-w596-4wvx-j9j6) | py | | 1.11.0 | 1.11.0 | 1.11.0 | | | [OSV-2023-877](https://osv.dev/OSV-2023-877) | libbpf | | 1.2.0 | 1.2.2 | 1.2.2 | | | [OSV-2023-505](https://osv.dev/OSV-2023-505) | file | | 5.44 | 5.45 | 5.45 | Unclear if this is still valid. | @@ -231,10 +243,13 @@ Consider [whitelisting](../../manual_analysis.csv) possible false positives base | [OSV-2022-859](https://osv.dev/OSV-2022-859) | bluez | | 5.66 | 5.66 | 5.70 | Unclear if this is still valid. | | [OSV-2022-842](https://osv.dev/OSV-2022-842) | wolfssl | | 5.5.4 | 5.6.3 | 5.6.3 | Unclear if this is still valid. | | [OSV-2022-819](https://osv.dev/OSV-2022-819) | libraw | | 0.21.1 | 0.21.1 | 0.21.1 | | +| [OSV-2022-785](https://osv.dev/OSV-2022-785) | dnsmasq | | 2.89 | 2.89 | 2.89 | | | [OSV-2022-725](https://osv.dev/OSV-2022-725) | libjxl | | 0.8.2 | 0.8.2 | 0.8.2 | Unclear if this is still valid. | | [OSV-2022-608](https://osv.dev/OSV-2022-608) | libjxl | | 0.8.2 | 0.8.2 | 0.8.2 | Unclear if this is still valid. | | [OSV-2022-581](https://osv.dev/OSV-2022-581) | qemu | | 8.0.5 | 8.1.1 | 8.1.1 | Unclear if this is still valid. | +| [OSV-2022-572](https://osv.dev/OSV-2022-572) | dnsmasq | | 2.89 | 2.89 | 2.89 | | | [OSV-2022-394](https://osv.dev/OSV-2022-394) | opencv | | 4.7.0 | 4.7.0 | 4.8.1 | No attention from upstream: [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47190). | +| [OSV-2022-312](https://osv.dev/OSV-2022-312) | dnsmasq | | 2.89 | 2.89 | 2.89 | | | [OSV-2022-193](https://osv.dev/OSV-2022-193) | w3m | | 0.5.3+git2023012 | 0.5.3+git2023012 | 0.5.3+git2023012 | Unclear if this is still valid. | | [OSV-2021-594](https://osv.dev/OSV-2021-594) | libheif | | 1.15.2 | 1.15.2 | 1.16.2 | | | [OSV-2021-508](https://osv.dev/OSV-2021-508) | libsass | | 3.6.5 | 3.6.5 | 3.6.5 | Unclear if this is still valid. |