From 3bdcf97de5ac807b99f21126dd583129cc961518 Mon Sep 17 00:00:00 2001 From: henrirosten Date: Fri, 8 Sep 2023 11:43:38 +0000 Subject: [PATCH] Ghaf vulnerability scan update --- reports/ghaf-23.06/data.csv | 19 +- ...ges.x86_64-linux.generic-x86_64-release.md | 34 +-- reports/main/data.csv | 245 +++--------------- ...cv64-linux.microchip-icicle-kit-release.md | 72 ++--- ...ges.x86_64-linux.generic-x86_64-release.md | 34 +-- 5 files changed, 101 insertions(+), 303 deletions(-) diff --git a/reports/ghaf-23.06/data.csv b/reports/ghaf-23.06/data.csv index 2d1878c..b2660eb 100644 --- a/reports/ghaf-23.06/data.csv +++ b/reports/ghaf-23.06/data.csv @@ -105,12 +105,9 @@ https://github.com/NixOS/nixpkgs/pull/239595" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-2829","https://nvd.nist.gov/vuln/detail/CVE-2023-2829","bind","9.18.14","9.18.18","9.18.18","bind","2023A0000002829","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/250135" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-2828","https://nvd.nist.gov/vuln/detail/CVE-2023-2828","bind","9.18.14","9.18.18","9.18.18","bind","2023A0000002828","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239161 https://github.com/NixOS/nixpkgs/pull/250135" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-2610","https://nvd.nist.gov/vuln/detail/CVE-2023-2610","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002610","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 -https://github.com/NixOS/nixpkgs/pull/251896" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-2609","https://nvd.nist.gov/vuln/detail/CVE-2023-2609","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002609","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 -https://github.com/NixOS/nixpkgs/pull/251896" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-2426","https://nvd.nist.gov/vuln/detail/CVE-2023-2426","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002426","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 -https://github.com/NixOS/nixpkgs/pull/251896" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-2610","https://nvd.nist.gov/vuln/detail/CVE-2023-2610","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002610","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-2609","https://nvd.nist.gov/vuln/detail/CVE-2023-2609","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002609","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-2426","https://nvd.nist.gov/vuln/detail/CVE-2023-2426","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002426","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-1999","https://nvd.nist.gov/vuln/detail/CVE-2023-1999","libwebp","1.3.0","1.3.1","1.3.1","libwebp","2023A0000001999","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/240893 https://github.com/NixOS/nixpkgs/pull/241036" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","current","CVE-2023-1916","https://nvd.nist.gov/vuln/detail/CVE-2023-1916","libtiff","4.5.0","4.5.1","4.5.1","tiff","2023A0000001916","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239544 @@ -324,12 +321,9 @@ https://github.com/NixOS/nixpkgs/pull/253738" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-3354","https://nvd.nist.gov/vuln/detail/CVE-2023-3354","qemu","8.0.4","8.1.0","8.1.0","qemu","2023A0000003354","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-3180","https://nvd.nist.gov/vuln/detail/CVE-2023-3180","qemu","8.0.4","8.1.0","8.1.0","qemu","2023A0000003180","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-3019","https://nvd.nist.gov/vuln/detail/CVE-2023-3019","qemu","8.0.4","8.1.0","8.1.0","qemu","2023A0000003019","False","Revisit when fixed upstream: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html.","err_not_vulnerable_based_on_repology","" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-2610","https://nvd.nist.gov/vuln/detail/CVE-2023-2610","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002610","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 -https://github.com/NixOS/nixpkgs/pull/251896" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-2609","https://nvd.nist.gov/vuln/detail/CVE-2023-2609","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002609","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 -https://github.com/NixOS/nixpkgs/pull/251896" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-2426","https://nvd.nist.gov/vuln/detail/CVE-2023-2426","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002426","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 -https://github.com/NixOS/nixpkgs/pull/251896" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-2610","https://nvd.nist.gov/vuln/detail/CVE-2023-2610","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002610","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-2609","https://nvd.nist.gov/vuln/detail/CVE-2023-2609","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002609","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-2426","https://nvd.nist.gov/vuln/detail/CVE-2023-2426","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002426","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2023-1386","https://nvd.nist.gov/vuln/detail/CVE-2023-1386","qemu","8.0.4","8.1.0","8.1.0","qemu","2023A0000001386","False","Revisit when fixed upstream: https://github.com/v9fs/linux/issues/29.","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","OSV-2023-505","https://osv.dev/OSV-2023-505","file","5.44","5.45","5.45","file","2023A0000000505","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","OSV-2023-390","https://osv.dev/OSV-2023-390","qemu","8.0.4","8.1.0","8.1.0","qemu","2023A0000000390","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" @@ -478,7 +472,6 @@ https://github.com/NixOS/nixpkgs/pull/84664" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2014-9157","https://nvd.nist.gov/vuln/detail/CVE-2014-9157","graphviz","7.1.0","","","","2014A0000009157","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2012-3509","https://nvd.nist.gov/vuln/detail/CVE-2012-3509","libiberty","12.2.0","","","","2012A0000003509","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","lock_updated","CVE-2010-4226","https://nvd.nist.gov/vuln/detail/CVE-2010-4226","cpio","2.14","","","","2010A0000004226","True","NVD data issue: concerns OpenSuSE, not cpio.","err_missing_repology_version","" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","nix_unstable","GHSA-wrrj-h57r-vx9p","https://osv.dev/GHSA-wrrj-h57r-vx9p","cargo","1.71.1","0.4.9","0.4.9","r:cargo","2023A1692835200","False","","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","nix_unstable","GHSA-w596-4wvx-j9j6","https://osv.dev/GHSA-w596-4wvx-j9j6","py","1.11.0","1.11.0","1.11.0","python:py","2023A1691452800","False","","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","nix_unstable","CVE-2023-39742","https://nvd.nist.gov/vuln/detail/CVE-2023-39742","giflib","5.2.1","5.2.1","5.2.1","giflib","2023A0000039742","False","","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.06","nix_unstable","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","1.17.13-linux-amd64-bootstrap","1.21.0","1.21.1","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/113862 diff --git a/reports/ghaf-23.06/packages.x86_64-linux.generic-x86_64-release.md b/reports/ghaf-23.06/packages.x86_64-linux.generic-x86_64-release.md index 4ef4e92..a2f1134 100644 --- a/reports/ghaf-23.06/packages.x86_64-linux.generic-x86_64-release.md +++ b/reports/ghaf-23.06/packages.x86_64-linux.generic-x86_64-release.md @@ -6,10 +6,11 @@ SPDX-License-Identifier: CC-BY-SA-4.0 # Vulnerability Report -This vulnerability report is generated for Ghaf target '`github:tiiuae/ghaf?ref=ghaf-23.06#packages.x86_64-linux.generic-x86_64-release`'. The tables on this page include known vulnerabilities impacting any buildtime or runtime dependencies of the given target. +This vulnerability report is generated for Ghaf target `github:tiiuae/ghaf?ref=ghaf-23.06#packages.x86_64-linux.generic-x86_64-release` revision `3386e833424289c0e909e84328c1bfb065bfdbb8`. The tables on this page include known vulnerabilities impacting buildtime or runtime dependencies of the given target. This report is automatically generated as specified on the [Vulnerability Scan](../.github/workflows/vulnerability-scan.yml) GitHub action workflow. It uses the tooling from [sbomnix](https://github.com/tiiuae/sbomnix) repository, such as [vulnxscan](https://github.com/tiiuae/sbomnix/tree/main/scripts/vulnxscan), as well as the manual analysis results maintained in the [manual_analysis.csv](../manual_analysis.csv) file. +See section [Theory of Operation](https://github.com/tiiuae/ghafscan#theory-of-operation) in the [ghafscan README.md](https://github.com/tiiuae/ghafscan/blob/main/README.md) for details of how the data on this report is generated. Reports ================= @@ -63,24 +64,25 @@ Update the target Ghaf [flake.lock](https://github.com/tiiuae/ghaf/blob/main/fla ## Vulnerabilities Fixed in nix-unstable -Following table lists vulnerabilities that have been fixed in nixpgks nix-unstable channel, but the fixes have not been backported to the channel the Ghaf target is currently pinned to. +Following table lists vulnerabilities that have been fixed in nixpkgs nix-unstable channel, but the fixes have not been backported to the channel the Ghaf target is currently pinned to. Following issues potentially require backporting the fix from nixpkgs-unstable to the correct nixpkgs release branch. Consider [whitelisting](../manual_analysis.csv) possible false positives based on manual analysis, or - if determined valid - help nixpkgs community backport the fix to the correct nixpkgs branch: -| vuln_id | package | version_local | nix_unstable | upstream | comment | -|-------------------------------------------------------------------|-----------|-----------------|----------------|------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| [CVE-2023-40360](https://nvd.nist.gov/vuln/detail/CVE-2023-40360) | qemu | 8.0.4 | 8.1.0 | 8.1.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/251154)]* | -| [CVE-2023-40359](https://nvd.nist.gov/vuln/detail/CVE-2023-40359) | xterm | 379 | 384 | 384 | Requested backport for PR: [link](https://github.com/NixOS/nixpkgs/pull/244141). *[[PR](https://github.com/NixOS/nixpkgs/pull/244141)]* | -| [CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) | perl | 5.36.0-env | 5.38.0 | 5.38.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/241848), [PR](https://github.com/NixOS/nixpkgs/pull/247547)]* | -| [CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) | perl | 5.36.0 | 5.38.0 | 5.38.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/241848), [PR](https://github.com/NixOS/nixpkgs/pull/247547)]* | -| [CVE-2023-2610](https://nvd.nist.gov/vuln/detail/CVE-2023-2610) | vim | 9.0.1441 | 9.0.1642 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | -| [CVE-2023-2609](https://nvd.nist.gov/vuln/detail/CVE-2023-2609) | vim | 9.0.1441 | 9.0.1642 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | -| [CVE-2023-2426](https://nvd.nist.gov/vuln/detail/CVE-2023-2426) | vim | 9.0.1441 | 9.0.1642 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | -| [CVE-2022-0856](https://nvd.nist.gov/vuln/detail/CVE-2022-0856) | libcaca | 0.99.beta20 | 0.99.beta20 | | Not fixed upstream: [link](https://github.com/cacalabs/libcaca/issues/65). | -| [OSV-2022-394](https://osv.dev/OSV-2022-394) | opencv | 4.7.0 | 4.7.0 | 4.8.0 | | +| vuln_id | package | version_local | nix_unstable | upstream | comment | +|-------------------------------------------------------------------|-----------|-----------------|----------------|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------| +| [GHSA-wrrj-h57r-vx9p](https://osv.dev/GHSA-wrrj-h57r-vx9p) | cargo | 1.69.0 | 0.4.9 | 0.4.9 | | +| [CVE-2023-40360](https://nvd.nist.gov/vuln/detail/CVE-2023-40360) | qemu | 8.0.4 | 8.1.0 | 8.1.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/251154)]* | +| [CVE-2023-40359](https://nvd.nist.gov/vuln/detail/CVE-2023-40359) | xterm | 379 | 384 | 384 | Requested backport for PR: [link](https://github.com/NixOS/nixpkgs/pull/244141). *[[PR](https://github.com/NixOS/nixpkgs/pull/244141)]* | +| [CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) | perl | 5.36.0-env | 5.38.0 | 5.38.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/241848), [PR](https://github.com/NixOS/nixpkgs/pull/247547)]* | +| [CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) | perl | 5.36.0 | 5.38.0 | 5.38.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/241848), [PR](https://github.com/NixOS/nixpkgs/pull/247547)]* | +| [CVE-2023-2610](https://nvd.nist.gov/vuln/detail/CVE-2023-2610) | vim | 9.0.1441 | 9.0.1811 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-2609](https://nvd.nist.gov/vuln/detail/CVE-2023-2609) | vim | 9.0.1441 | 9.0.1811 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-2426](https://nvd.nist.gov/vuln/detail/CVE-2023-2426) | vim | 9.0.1441 | 9.0.1811 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2022-0856](https://nvd.nist.gov/vuln/detail/CVE-2022-0856) | libcaca | 0.99.beta20 | 0.99.beta20 | | Not fixed upstream: [link](https://github.com/cacalabs/libcaca/issues/65). | +| [OSV-2022-394](https://osv.dev/OSV-2022-394) | opencv | 4.7.0 | 4.7.0 | 4.8.0 | | @@ -146,9 +148,9 @@ Consider [whitelisting](../manual_analysis.csv) possible false positives based o | [CVE-2023-2908](https://nvd.nist.gov/vuln/detail/CVE-2023-2908) | libtiff | 4.5.0 | 4.5.1 | 4.5.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/239544), [PR](https://github.com/NixOS/nixpkgs/pull/239595)]* | | [CVE-2023-2829](https://nvd.nist.gov/vuln/detail/CVE-2023-2829) | bind | 9.18.14 | 9.18.18 | 9.18.18 | *[[PR](https://github.com/NixOS/nixpkgs/pull/250135)]* | | [CVE-2023-2828](https://nvd.nist.gov/vuln/detail/CVE-2023-2828) | bind | 9.18.14 | 9.18.18 | 9.18.18 | *[[PR](https://github.com/NixOS/nixpkgs/pull/239161), [PR](https://github.com/NixOS/nixpkgs/pull/250135)]* | -| [CVE-2023-2610](https://nvd.nist.gov/vuln/detail/CVE-2023-2610) | vim | 9.0.1441 | 9.0.1642 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | -| [CVE-2023-2609](https://nvd.nist.gov/vuln/detail/CVE-2023-2609) | vim | 9.0.1441 | 9.0.1642 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | -| [CVE-2023-2426](https://nvd.nist.gov/vuln/detail/CVE-2023-2426) | vim | 9.0.1441 | 9.0.1642 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-2610](https://nvd.nist.gov/vuln/detail/CVE-2023-2610) | vim | 9.0.1441 | 9.0.1811 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-2609](https://nvd.nist.gov/vuln/detail/CVE-2023-2609) | vim | 9.0.1441 | 9.0.1811 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-2426](https://nvd.nist.gov/vuln/detail/CVE-2023-2426) | vim | 9.0.1441 | 9.0.1811 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | | [CVE-2023-1999](https://nvd.nist.gov/vuln/detail/CVE-2023-1999) | libwebp | 1.3.0 | 1.3.1 | 1.3.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/240893), [PR](https://github.com/NixOS/nixpkgs/pull/241036)]* | | [CVE-2023-1916](https://nvd.nist.gov/vuln/detail/CVE-2023-1916) | libtiff | 4.5.0 | 4.5.1 | 4.5.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/239544), [PR](https://github.com/NixOS/nixpkgs/pull/239595)]* | | [CVE-2023-1386](https://nvd.nist.gov/vuln/detail/CVE-2023-1386) | qemu | 8.0.0 | 8.1.0 | 8.1.0 | Revisit when fixed upstream: [link](https://github.com/v9fs/linux/issues/29). | diff --git a/reports/main/data.csv b/reports/main/data.csv index 60b655a..59cd6bb 100644 --- a/reports/main/data.csv +++ b/reports/main/data.csv @@ -67,12 +67,9 @@ https://github.com/NixOS/nixpkgs/pull/246451" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-3354","https://nvd.nist.gov/vuln/detail/CVE-2023-3354","qemu","8.0.2","8.1.0","8.1.0","qemu","2023A0000003354","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-3180","https://nvd.nist.gov/vuln/detail/CVE-2023-3180","qemu","8.0.2","8.1.0","8.1.0","qemu","2023A0000003180","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-3019","https://nvd.nist.gov/vuln/detail/CVE-2023-3019","qemu","8.0.2","8.1.0","8.1.0","qemu","2023A0000003019","False","Revisit when fixed upstream: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html.","err_not_vulnerable_based_on_repology","" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-2610","https://nvd.nist.gov/vuln/detail/CVE-2023-2610","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002610","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 -https://github.com/NixOS/nixpkgs/pull/251896" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-2609","https://nvd.nist.gov/vuln/detail/CVE-2023-2609","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002609","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 -https://github.com/NixOS/nixpkgs/pull/251896" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-2426","https://nvd.nist.gov/vuln/detail/CVE-2023-2426","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002426","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 -https://github.com/NixOS/nixpkgs/pull/251896" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-2610","https://nvd.nist.gov/vuln/detail/CVE-2023-2610","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002610","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-2609","https://nvd.nist.gov/vuln/detail/CVE-2023-2609","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002609","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-2426","https://nvd.nist.gov/vuln/detail/CVE-2023-2426","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002426","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-1386","https://nvd.nist.gov/vuln/detail/CVE-2023-1386","qemu","8.0.2","8.1.0","8.1.0","qemu","2023A0000001386","False","Revisit when fixed upstream: https://github.com/v9fs/linux/issues/29.","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2023-505","https://osv.dev/OSV-2023-505","file","5.44","5.45","5.45","file","2023A0000000505","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","current","OSV-2023-390","https://osv.dev/OSV-2023-390","qemu","8.0.2","8.1.0","8.1.0","qemu","2023A0000000390","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" @@ -304,12 +301,9 @@ https://github.com/NixOS/nixpkgs/pull/253738" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-3354","https://nvd.nist.gov/vuln/detail/CVE-2023-3354","qemu","8.0.4","8.1.0","8.1.0","qemu","2023A0000003354","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-3180","https://nvd.nist.gov/vuln/detail/CVE-2023-3180","qemu","8.0.4","8.1.0","8.1.0","qemu","2023A0000003180","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-3019","https://nvd.nist.gov/vuln/detail/CVE-2023-3019","qemu","8.0.4","8.1.0","8.1.0","qemu","2023A0000003019","False","Revisit when fixed upstream: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html.","err_not_vulnerable_based_on_repology","" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-2610","https://nvd.nist.gov/vuln/detail/CVE-2023-2610","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002610","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 -https://github.com/NixOS/nixpkgs/pull/251896" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-2609","https://nvd.nist.gov/vuln/detail/CVE-2023-2609","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002609","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 -https://github.com/NixOS/nixpkgs/pull/251896" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-2426","https://nvd.nist.gov/vuln/detail/CVE-2023-2426","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002426","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 -https://github.com/NixOS/nixpkgs/pull/251896" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-2610","https://nvd.nist.gov/vuln/detail/CVE-2023-2610","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002610","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-2609","https://nvd.nist.gov/vuln/detail/CVE-2023-2609","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002609","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-2426","https://nvd.nist.gov/vuln/detail/CVE-2023-2426","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002426","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-1386","https://nvd.nist.gov/vuln/detail/CVE-2023-1386","qemu","8.0.4","8.1.0","8.1.0","qemu","2023A0000001386","False","Revisit when fixed upstream: https://github.com/v9fs/linux/issues/29.","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2023-505","https://osv.dev/OSV-2023-505","file","5.44","5.45","5.45","file","2023A0000000505","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2023-390","https://osv.dev/OSV-2023-390","qemu","8.0.4","8.1.0","8.1.0","qemu","2023A0000000390","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" @@ -482,7 +476,6 @@ https://github.com/NixOS/nixpkgs/pull/84664" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2014-4859","https://nvd.nist.gov/vuln/detail/CVE-2014-4859","edk2","202211","","","","2014A0000004859","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2012-3509","https://nvd.nist.gov/vuln/detail/CVE-2012-3509","libiberty","12.2.0","","","","2012A0000003509","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2010-4226","https://nvd.nist.gov/vuln/detail/CVE-2010-4226","cpio","2.14","","","","2010A0000004226","True","NVD data issue: concerns OpenSuSE, not cpio.","err_missing_repology_version","" -"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","GHSA-wrrj-h57r-vx9p","https://osv.dev/GHSA-wrrj-h57r-vx9p","cargo","1.71.1","0.4.9","0.4.9","r:cargo","2023A1692835200","False","","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","GHSA-w596-4wvx-j9j6","https://osv.dev/GHSA-w596-4wvx-j9j6","py","1.11.0","1.11.0","1.11.0","python:py","2023A1691452800","False","","err_not_vulnerable_based_on_repology","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-39742","https://nvd.nist.gov/vuln/detail/CVE-2023-39742","giflib","5.2.1","5.2.1","5.2.1","giflib","2023A0000039742","False","","fix_not_available","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-39533","https://nvd.nist.gov/vuln/detail/CVE-2023-39533","go","1.17.13-linux-amd64-bootstrap","1.21.0","1.21.1","go","2023A0000039533","False","It's unclear if the vulnerable go pacakge 'go-libp2p' is actually used by anything Ghaf depends-on. The issue is included here, since NVD CPE refers go compiler 'golang:go' up to version 1.20.6. As soon as the nixpkgs PR that updates to go 1.20.7 (https://github.com/NixOS/nixpkgs/pull/246663) is in Ghaf, this issue should no longer be included in the reports.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/113862 @@ -721,85 +714,46 @@ https://github.com/NixOS/nixpkgs/pull/82958" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2014-4859","https://nvd.nist.gov/vuln/detail/CVE-2014-4859","edk2","202305","","","","2014A0000004859","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2012-3509","https://nvd.nist.gov/vuln/detail/CVE-2012-3509","libiberty","12.3.0","","","","2012A0000003509","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" "packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2010-4226","https://nvd.nist.gov/vuln/detail/CVE-2010-4226","cpio","2.14","","","","2010A0000004226","True","NVD data issue: concerns OpenSuSE, not cpio.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","GHSA-wrrj-h57r-vx9p","https://osv.dev/GHSA-wrrj-h57r-vx9p","cargo","1.71.1","0.4.9","0.4.9","r:cargo","2023A1692835200","False","","err_not_vulnerable_based_on_repology","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","GHSA-wrrj-h57r-vx9p","https://osv.dev/GHSA-wrrj-h57r-vx9p","cargo","1.69.0","0.4.9","0.4.9","r:cargo","2023A1692835200","False","","err_not_vulnerable_based_on_repology","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","GHSA-w596-4wvx-j9j6","https://osv.dev/GHSA-w596-4wvx-j9j6","py","1.11.0","1.11.0","1.11.0","python:py","2023A1691452800","False","","err_not_vulnerable_based_on_repology","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-39742","https://nvd.nist.gov/vuln/detail/CVE-2023-39742","giflib","5.2.1","5.2.1","5.2.1","giflib","2023A0000039742","False","","fix_not_available","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-37769","https://nvd.nist.gov/vuln/detail/CVE-2023-37769","pixman","0.42.2","0.42.2","0.42.2","pixman","2023A0000037769","False","See: https://gitlab.freedesktop.org/pixman/pixman/-/issues/76: ""This somehow got assigned CVE-2023-37769, not sure why NVD keeps assigning CVEs like this. This is just a test executable"".","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-31975","https://nvd.nist.gov/vuln/detail/CVE-2023-31975","yasm","1.3.0","","","","2023A0000031975","True","Memory leak in CLI tool, no security impact.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-31974","https://nvd.nist.gov/vuln/detail/CVE-2023-31974","yasm","1.3.0","","","","2023A0000031974","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-31973","https://nvd.nist.gov/vuln/detail/CVE-2023-31973","yasm","1.3.0","","","","2023A0000031973","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-31972","https://nvd.nist.gov/vuln/detail/CVE-2023-31972","yasm","1.3.0","","","","2023A0000031972","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-31486","https://nvd.nist.gov/vuln/detail/CVE-2023-31486","perl","5.36.0","","","","2023A0000031486","True","Fixed upstream with https://github.com/chansen/p5-http-tiny/pull/153 and nixpkgs patched the issue already in 08/2022 with https://github.com/NixOS/nixpkgs/pull/187480.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-31484","https://nvd.nist.gov/vuln/detail/CVE-2023-31484","perl","5.36.0","5.38.0","5.38.0","perl","2023A0000031484","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/241848 +https://github.com/NixOS/nixpkgs/pull/247547" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-30571","https://nvd.nist.gov/vuln/detail/CVE-2023-30571","libarchive","3.6.2","3.6.2","3.7.1","libarchive","2023A0000030571","False","No upstream fix available, see: https://github.com/libarchive/libarchive/issues/1876.","fix_update_to_version_upstream","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-30402","https://nvd.nist.gov/vuln/detail/CVE-2023-30402","yasm","1.3.0","","","","2023A0000030402","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","4.13","4.13","4.14.0","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/233924" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-28938","https://nvd.nist.gov/vuln/detail/CVE-2023-28938","mdadm","4.2","4.2","4.2","mdadm","2023A0000028938","False","","fix_not_available","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-28736","https://nvd.nist.gov/vuln/detail/CVE-2023-28736","mdadm","4.2","4.2","4.2","mdadm","2023A0000028736","False","","fix_not_available","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-28115","https://nvd.nist.gov/vuln/detail/CVE-2023-28115","snappy","1.1.10","","","","2023A0000028115","False","","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-4135","https://nvd.nist.gov/vuln/detail/CVE-2023-4135","qemu","8.1.0","8.1.0","8.1.0","qemu","2023A0000004135","False","Fixed upstream in 8.1.0.","fix_not_available","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-4016","https://nvd.nist.gov/vuln/detail/CVE-2023-4016","procps","3.3.17","","","","2023A0000004016","False","See: https://gitlab.com/procps-ng/procps/-/issues/297. Notice: repology package name is procps-ng: https://repology.org/project/procps-ng/versions.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-3724","https://nvd.nist.gov/vuln/detail/CVE-2023-3724","wolfssl","5.5.4","5.5.4","5.6.3","wolfssl","2023A0000003724","False","Issue is fixed in 5.6.2: https://www.wolfssl.com/docs/security-vulnerabilities/. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/239027.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/239027 -https://github.com/NixOS/nixpkgs/pull/246451" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-3354","https://nvd.nist.gov/vuln/detail/CVE-2023-3354","qemu","8.1.0","8.1.0","8.1.0","qemu","2023A0000003354","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-3180","https://nvd.nist.gov/vuln/detail/CVE-2023-3180","qemu","8.1.0","8.1.0","8.1.0","qemu","2023A0000003180","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-3019","https://nvd.nist.gov/vuln/detail/CVE-2023-3019","qemu","8.1.0","8.1.0","8.1.0","qemu","2023A0000003019","False","Revisit when fixed upstream: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html.","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-1386","https://nvd.nist.gov/vuln/detail/CVE-2023-1386","qemu","8.1.0","8.1.0","8.1.0","qemu","2023A0000001386","False","Revisit when fixed upstream: https://github.com/v9fs/linux/issues/29.","fix_not_available","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2023-505","https://osv.dev/OSV-2023-505","file","5.45","5.45","5.45","file","2023A0000000505","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2023-390","https://osv.dev/OSV-2023-390","qemu","8.1.0","8.1.0","8.1.0","qemu","2023A0000000390","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2023-197","https://osv.dev/OSV-2023-197","p11-kit","0.25.0","0.25.0","0.25.0","p11-kit","2023A0000000197","False","","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2023-137","https://osv.dev/OSV-2023-137","harfbuzz","7.3.0","","","","2023A0000000137","True","Based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56510#c2, the issue is fixed in range https://github.com/harfbuzz/harfbuzz/compare/67e01c1292821e7b6fc2ab13acddb84ab41b2187...60841e26187576bff477c1a09ee2ffe544844abc all of which have been merged in 7.1.0.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-3817","https://nvd.nist.gov/vuln/detail/CVE-2023-3817","openssl","3.0.9","3.1.0","3.1.0","ruby:openssl","2023A0000003817","False","openssl LTS release 3.0.10 fixes the issue, nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/246579.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/247537 +https://github.com/NixOS/nixpkgs/pull/248715" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-2610","https://nvd.nist.gov/vuln/detail/CVE-2023-2610","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002610","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-2609","https://nvd.nist.gov/vuln/detail/CVE-2023-2609","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002609","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2023-2426","https://nvd.nist.gov/vuln/detail/CVE-2023-2426","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002426","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2023-505","https://osv.dev/OSV-2023-505","file","5.44","5.45","5.45","file","2023A0000000505","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-42969","https://nvd.nist.gov/vuln/detail/CVE-2022-42969","py","1.11.0","","","","2022A0000042969","True","Disputed upstream: https://github.com/pytest-dev/py/issues/287#issuecomment-1283567565.","err_missing_repology_version","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","PYSEC-2022-42969","https://osv.dev/PYSEC-2022-42969","py","1.11.0","","","","2022A0000042969","True","Same as CVE-2022-42969.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-38663","https://nvd.nist.gov/vuln/detail/CVE-2022-38663","git","2.41.0","","","","2022A0000038663","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-36884","https://nvd.nist.gov/vuln/detail/CVE-2022-36884","git","2.41.0","","","","2022A0000036884","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-36883","https://nvd.nist.gov/vuln/detail/CVE-2022-36883","git","2.41.0","","","","2022A0000036883","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-36882","https://nvd.nist.gov/vuln/detail/CVE-2022-36882","git","2.41.0","","","","2022A0000036882","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-30949","https://nvd.nist.gov/vuln/detail/CVE-2022-30949","git","2.41.0","","","","2022A0000030949","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-30948","https://nvd.nist.gov/vuln/detail/CVE-2022-30948","git","2.41.0","","","","2022A0000030948","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-30947","https://nvd.nist.gov/vuln/detail/CVE-2022-30947","git","2.41.0","","","","2022A0000030947","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-38663","https://nvd.nist.gov/vuln/detail/CVE-2022-38663","git","2.40.1","","","","2022A0000038663","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-36884","https://nvd.nist.gov/vuln/detail/CVE-2022-36884","git","2.40.1","","","","2022A0000036884","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-36883","https://nvd.nist.gov/vuln/detail/CVE-2022-36883","git","2.40.1","","","","2022A0000036883","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-36882","https://nvd.nist.gov/vuln/detail/CVE-2022-36882","git","2.40.1","","","","2022A0000036882","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-30949","https://nvd.nist.gov/vuln/detail/CVE-2022-30949","git","2.40.1","","","","2022A0000030949","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-30948","https://nvd.nist.gov/vuln/detail/CVE-2022-30948","git","2.40.1","","","","2022A0000030948","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-30947","https://nvd.nist.gov/vuln/detail/CVE-2022-30947","git","2.40.1","","","","2022A0000030947","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-28321","https://nvd.nist.gov/vuln/detail/CVE-2022-28321","linux-pam","1.5.2","","","","2022A0000028321","True","Only impacts SUSE-specific patch version. Notice: repology package name is pam: https://repology.org/project/pam/versions.","err_missing_repology_version","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","MAL-2022-4301","https://osv.dev/MAL-2022-4301","libidn2","2.3.4","","","","2022A0000004301","True","Incorrect package: Issue refers npm libidn2, whereas, nixpkgs refers libidn2 https://gitlab.com/libidn/libidn2.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-3219","https://nvd.nist.gov/vuln/detail/CVE-2022-3219","gnupg","2.4.1","","","","2022A0000003219","True","Fix patch is not accepted upstream: https://dev.gnupg.org/D556.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2022-3219","https://nvd.nist.gov/vuln/detail/CVE-2022-3219","gnupg","2.4.0","","","","2022A0000003219","True","Fix patch is not accepted upstream: https://dev.gnupg.org/D556.","err_missing_repology_version","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-1193","https://osv.dev/OSV-2022-1193","libarchive","3.6.2","","","","2022A0000001193","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53594#c3.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-842","https://osv.dev/OSV-2022-842","wolfssl","5.5.4","5.5.4","5.6.3","wolfssl","2022A0000000842","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-725","https://osv.dev/OSV-2022-725","libjxl","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000725","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-608","https://osv.dev/OSV-2022-608","libjxl","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000608","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-581","https://osv.dev/OSV-2022-581","qemu","8.1.0","8.1.0","8.1.0","qemu","2022A0000000581","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-193","https://osv.dev/OSV-2022-193","w3m","0.5.3+git20230121","0.5.3+git20230121","0.5.3+git20230121","w3m","2022A0000000193","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2022-183","https://osv.dev/OSV-2022-183","binutils","2.40","","","","2022A0000000183","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44864#c2.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33468","https://nvd.nist.gov/vuln/detail/CVE-2021-33468","yasm","1.3.0","","","","2021A0000033468","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33467","https://nvd.nist.gov/vuln/detail/CVE-2021-33467","yasm","1.3.0","","","","2021A0000033467","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33466","https://nvd.nist.gov/vuln/detail/CVE-2021-33466","yasm","1.3.0","","","","2021A0000033466","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33465","https://nvd.nist.gov/vuln/detail/CVE-2021-33465","yasm","1.3.0","","","","2021A0000033465","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33464","https://nvd.nist.gov/vuln/detail/CVE-2021-33464","yasm","1.3.0","","","","2021A0000033464","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33463","https://nvd.nist.gov/vuln/detail/CVE-2021-33463","yasm","1.3.0","","","","2021A0000033463","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33462","https://nvd.nist.gov/vuln/detail/CVE-2021-33462","yasm","1.3.0","","","","2021A0000033462","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33461","https://nvd.nist.gov/vuln/detail/CVE-2021-33461","yasm","1.3.0","","","","2021A0000033461","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33460","https://nvd.nist.gov/vuln/detail/CVE-2021-33460","yasm","1.3.0","","","","2021A0000033460","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33459","https://nvd.nist.gov/vuln/detail/CVE-2021-33459","yasm","1.3.0","","","","2021A0000033459","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33458","https://nvd.nist.gov/vuln/detail/CVE-2021-33458","yasm","1.3.0","","","","2021A0000033458","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33457","https://nvd.nist.gov/vuln/detail/CVE-2021-33457","yasm","1.3.0","","","","2021A0000033457","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33456","https://nvd.nist.gov/vuln/detail/CVE-2021-33456","yasm","1.3.0","","","","2021A0000033456","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33455","https://nvd.nist.gov/vuln/detail/CVE-2021-33455","yasm","1.3.0","","","","2021A0000033455","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-33454","https://nvd.nist.gov/vuln/detail/CVE-2021-33454","yasm","1.3.0","","","","2021A0000033454","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-26945","https://nvd.nist.gov/vuln/detail/CVE-2021-26945","openexr","2.5.8","","","","2021A0000026945","True","Fix patch https://github.com/AcademySoftwareFoundation/openexr/pull/930/commits/b73ec53bd24ba116d7bf48ebdc868301c596706e modifies a file that is not available in openexr 2. Thus, the fix doesn't apply to 2.5.8.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-26260","https://nvd.nist.gov/vuln/detail/CVE-2021-26260","openexr","2.5.8","","","","2021A0000026260","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d which went to 2.5.5.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-23215","https://nvd.nist.gov/vuln/detail/CVE-2021-23215","openexr","2.5.8","","","","2021A0000023215","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d which went to 2.5.5.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-23169","https://nvd.nist.gov/vuln/detail/CVE-2021-23169","openexr","2.5.8","","","","2021A0000023169","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-21684","https://nvd.nist.gov/vuln/detail/CVE-2021-21684","git","2.41.0","","","","2021A0000021684","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-20255","https://nvd.nist.gov/vuln/detail/CVE-2021-20255","qemu","8.1.0","","","","2021A0000020255","True","Upstream patch not merged: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html. No point fixing this in nixpkgs as long as it is not fixed upstream.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-21684","https://nvd.nist.gov/vuln/detail/CVE-2021-21684","git","2.40.1","","","","2021A0000021684","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-4336","https://nvd.nist.gov/vuln/detail/CVE-2021-4336","ninja","1.11.1","","","","2021A0000004336","True","Incorrect package: nixpkgs 'ninja' refers https://github.com/ninja-build/ninja, not https://github.com/ITRS-Group/monitor-ninja.","err_missing_repology_version","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-4217","https://nvd.nist.gov/vuln/detail/CVE-2021-4217","unzip","6.0","","","","2021A0000004217","True","Ignored by other distribution as 'no security impact', e.g. Debian: https://security-tracker.debian.org/tracker/CVE-2021-4217.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-3605","https://nvd.nist.gov/vuln/detail/CVE-2021-3605","openexr","2.5.8","","","","2021A0000003605","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2021-3598","https://nvd.nist.gov/vuln/detail/CVE-2021-3598","openexr","2.5.8","","","","2021A0000003598","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2021-820","https://osv.dev/OSV-2021-820","qemu","8.1.0","","","","2021A0000000820","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34831#c2.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2021-777","https://osv.dev/OSV-2021-777","libxml2","2.11.4","","","","2021A0000000777","True","Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325, which went to 2.9.13. Therefore, this issue is fixed in 2.10.4.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2021-777","https://osv.dev/OSV-2021-777","libxml2","2.10.4","","","","2021A0000000777","True","Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325, which went to 2.9.13. Therefore, this issue is fixed in 2.10.4.","err_missing_repology_version","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2020-16194","https://nvd.nist.gov/vuln/detail/CVE-2020-16194","quote","1.0.20","","","","2020A0000016194","True","Incorrect package: Issue concerns prestashop product: https://prestashop.com/, whereas, nixpkgs ""quote"" refers rust package 'quote': https://docs.rs/quote/latest/quote/.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2020-2136","https://nvd.nist.gov/vuln/detail/CVE-2020-2136","git","2.41.0","2.41.0","2.42.0","git","2020A0000002136","False","","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/82872 +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2020-2136","https://nvd.nist.gov/vuln/detail/CVE-2020-2136","git","2.40.1","2.41.0","2.42.0","git","2020A0000002136","False","","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/82872 https://github.com/NixOS/nixpkgs/pull/84664" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2020-1610","https://osv.dev/OSV-2020-1610","openexr","2.5.8","3.1.10","3.2.0","openexr","2020A0000001610","False","","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2020-438","https://osv.dev/OSV-2020-438","capstone","4.0.2","4.0.2","5.0.1","capstone","2020A0000000438","False","","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","OSV-2020-438","https://osv.dev/OSV-2020-438","capstone","4.0.2","4.0.2","5.0.1","python:capstone","2020A0000000438","False","","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-1003010","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010","git","2.41.0","","","","2019A0001003010","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-1003010","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010","git","2.40.1","","","","2019A0001003010","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-20633","https://nvd.nist.gov/vuln/detail/CVE-2019-20633","patch","2.7.6","","","","2019A0000020633","True","Upstream patch is not merged: https://savannah.gnu.org/bugs/index.php?56683. Not sure why this isn't fixed upstream. No point fixing this in nixpkgs as long as it is not fixed upstream.","err_missing_repology_version","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","3.11.0","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" @@ -808,28 +762,12 @@ https://github.com/NixOS/nixpkgs/pull/84664" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","2.9.9","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-12749","https://nvd.nist.gov/vuln/detail/CVE-2019-12749","dbus","1","","","","2019A0000012749","True","Fixed with https://github.com/NixOS/nixpkgs/pull/63021 (dbus version '1' in nixpkgs currently refers 1.14.8).","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-12067","https://nvd.nist.gov/vuln/detail/CVE-2019-12067","qemu","8.1.0","","","","2019A0000012067","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-6470","https://nvd.nist.gov/vuln/detail/CVE-2019-6470","bind","9.18.18","","","","2019A0000006470","True","Not valid: https://github.com/NixOS/nixpkgs/issues/73617#issuecomment-569491606.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-6462","https://nvd.nist.gov/vuln/detail/CVE-2019-6462","cairo","1.16.0","","","","2019A0000006462","True","Not a valid: https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-6461","https://nvd.nist.gov/vuln/detail/CVE-2019-6461","cairo","1.16.0","","","","2019A0000006461","True","Not valid: https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-6470","https://nvd.nist.gov/vuln/detail/CVE-2019-6470","bind","9.18.16","","","","2019A0000006470","True","Not valid: https://github.com/NixOS/nixpkgs/issues/73617#issuecomment-569491606.","err_missing_repology_version","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2019-6293","https://nvd.nist.gov/vuln/detail/CVE-2019-6293","flex","2.6.4","","","","2019A0000006293","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2018-1000182","https://nvd.nist.gov/vuln/detail/CVE-2018-1000182","git","2.41.0","","","","2018A0001000182","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2018-1000110","https://nvd.nist.gov/vuln/detail/CVE-2018-1000110","git","2.41.0","","","","2018A0001000110","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2018-18438","https://nvd.nist.gov/vuln/detail/CVE-2018-18438","qemu","8.1.0","","","","2018A0000018438","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2017-5436","https://nvd.nist.gov/vuln/detail/CVE-2017-5436","graphite2","1.3.14","","","","2017A0000005436","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-6131","https://nvd.nist.gov/vuln/detail/CVE-2016-6131","libiberty","12.3.0","","","","2016A0000006131","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4493","https://nvd.nist.gov/vuln/detail/CVE-2016-4493","libiberty","12.3.0","","","","2016A0000004493","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4492","https://nvd.nist.gov/vuln/detail/CVE-2016-4492","libiberty","12.3.0","","","","2016A0000004492","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4491","https://nvd.nist.gov/vuln/detail/CVE-2016-4491","libiberty","12.3.0","","","","2016A0000004491","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4490","https://nvd.nist.gov/vuln/detail/CVE-2016-4490","libiberty","12.3.0","","","","2016A0000004490","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4489","https://nvd.nist.gov/vuln/detail/CVE-2016-4489","libiberty","12.3.0","","","","2016A0000004489","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4488","https://nvd.nist.gov/vuln/detail/CVE-2016-4488","libiberty","12.3.0","","","","2016A0000004488","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-4487","https://nvd.nist.gov/vuln/detail/CVE-2016-4487","libiberty","12.3.0","","","","2016A0000004487","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-2781","https://nvd.nist.gov/vuln/detail/CVE-2016-2781","coreutils","9.3","","","","2016A0000002781","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-2226","https://nvd.nist.gov/vuln/detail/CVE-2016-2226","libiberty","12.3.0","","","","2016A0000002226","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2018-1000182","https://nvd.nist.gov/vuln/detail/CVE-2018-1000182","git","2.40.1","","","","2018A0001000182","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2018-1000110","https://nvd.nist.gov/vuln/detail/CVE-2018-1000110","git","2.40.1","","","","2018A0001000110","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2016-2781","https://nvd.nist.gov/vuln/detail/CVE-2016-2781","coreutils","9.1","","","","2016A0000002781","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2015-7313","https://nvd.nist.gov/vuln/detail/CVE-2015-7313","libtiff","4.5.1","","","","2015A0000007313","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2014-9157","https://nvd.nist.gov/vuln/detail/CVE-2014-9157","graphviz","8.1.0","","","","2014A0000009157","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2012-3509","https://nvd.nist.gov/vuln/detail/CVE-2012-3509","libiberty","12.3.0","","","","2012A0000003509","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","current","CVE-2010-4226","https://nvd.nist.gov/vuln/detail/CVE-2010-4226","cpio","2.14","","","","2010A0000004226","True","NVD data issue: concerns OpenSuSE, not cpio.","err_missing_repology_version","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","GHSA-wrrj-h57r-vx9p","https://osv.dev/GHSA-wrrj-h57r-vx9p","cargo","1.69.0","0.4.9","0.4.9","r:cargo","2023A1692835200","False","","err_not_vulnerable_based_on_repology","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","GHSA-w596-4wvx-j9j6","https://osv.dev/GHSA-w596-4wvx-j9j6","py","1.11.0","1.11.0","1.11.0","python:py","2023A1691452800","False","","err_not_vulnerable_based_on_repology","" @@ -842,12 +780,9 @@ https://github.com/NixOS/nixpkgs/pull/247547" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-28938","https://nvd.nist.gov/vuln/detail/CVE-2023-28938","mdadm","4.2","4.2","4.2","mdadm","2023A0000028938","False","","fix_not_available","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-28736","https://nvd.nist.gov/vuln/detail/CVE-2023-28736","mdadm","4.2","4.2","4.2","mdadm","2023A0000028736","False","","fix_not_available","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-4016","https://nvd.nist.gov/vuln/detail/CVE-2023-4016","procps","3.3.17","","","","2023A0000004016","False","See: https://gitlab.com/procps-ng/procps/-/issues/297. Notice: repology package name is procps-ng: https://repology.org/project/procps-ng/versions.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-2610","https://nvd.nist.gov/vuln/detail/CVE-2023-2610","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002610","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 -https://github.com/NixOS/nixpkgs/pull/251896" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-2609","https://nvd.nist.gov/vuln/detail/CVE-2023-2609","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002609","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 -https://github.com/NixOS/nixpkgs/pull/251896" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-2426","https://nvd.nist.gov/vuln/detail/CVE-2023-2426","vim","9.0.1441","9.0.1642","9.0.1882","vim","2023A0000002426","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/239484 -https://github.com/NixOS/nixpkgs/pull/251896" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-2610","https://nvd.nist.gov/vuln/detail/CVE-2023-2610","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002610","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-2609","https://nvd.nist.gov/vuln/detail/CVE-2023-2609","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002609","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896" +"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2023-2426","https://nvd.nist.gov/vuln/detail/CVE-2023-2426","vim","9.0.1441","9.0.1811","9.0.1882","vim","2023A0000002426","False","Consider backporting nixpkgs PR https://github.com/NixOS/nixpkgs/pull/239484 to 23.05.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251896" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","OSV-2023-505","https://osv.dev/OSV-2023-505","file","5.44","5.45","5.45","file","2023A0000000505","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2022-42969","https://nvd.nist.gov/vuln/detail/CVE-2022-42969","py","1.11.0","","","","2022A0000042969","True","Disputed upstream: https://github.com/pytest-dev/py/issues/287#issuecomment-1283567565.","err_missing_repology_version","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","PYSEC-2022-42969","https://osv.dev/PYSEC-2022-42969","py","1.11.0","","","","2022A0000042969","True","Same as CVE-2022-42969.","err_missing_repology_version","" @@ -887,113 +822,3 @@ https://github.com/NixOS/nixpkgs/pull/84664" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2016-2781","https://nvd.nist.gov/vuln/detail/CVE-2016-2781","coreutils","9.1","","","","2016A0000002781","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2015-7313","https://nvd.nist.gov/vuln/detail/CVE-2015-7313","libtiff","4.5.1","","","","2015A0000007313","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" "packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","lock_updated","CVE-2010-4226","https://nvd.nist.gov/vuln/detail/CVE-2010-4226","cpio","2.14","","","","2010A0000004226","True","NVD data issue: concerns OpenSuSE, not cpio.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","GHSA-wrrj-h57r-vx9p","https://osv.dev/GHSA-wrrj-h57r-vx9p","cargo","1.71.1","0.4.9","0.4.9","r:cargo","2023A1692835200","False","","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","GHSA-w596-4wvx-j9j6","https://osv.dev/GHSA-w596-4wvx-j9j6","py","1.11.0","1.11.0","1.11.0","python:py","2023A1691452800","False","","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-39742","https://nvd.nist.gov/vuln/detail/CVE-2023-39742","giflib","5.2.1","5.2.1","5.2.1","giflib","2023A0000039742","False","","fix_not_available","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-37769","https://nvd.nist.gov/vuln/detail/CVE-2023-37769","pixman","0.42.2","0.42.2","0.42.2","pixman","2023A0000037769","False","See: https://gitlab.freedesktop.org/pixman/pixman/-/issues/76: ""This somehow got assigned CVE-2023-37769, not sure why NVD keeps assigning CVEs like this. This is just a test executable"".","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-31975","https://nvd.nist.gov/vuln/detail/CVE-2023-31975","yasm","1.3.0","","","","2023A0000031975","True","Memory leak in CLI tool, no security impact.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-31974","https://nvd.nist.gov/vuln/detail/CVE-2023-31974","yasm","1.3.0","","","","2023A0000031974","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-31973","https://nvd.nist.gov/vuln/detail/CVE-2023-31973","yasm","1.3.0","","","","2023A0000031973","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-31972","https://nvd.nist.gov/vuln/detail/CVE-2023-31972","yasm","1.3.0","","","","2023A0000031972","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-30571","https://nvd.nist.gov/vuln/detail/CVE-2023-30571","libarchive","3.6.2","3.6.2","3.7.1","libarchive","2023A0000030571","False","No upstream fix available, see: https://github.com/libarchive/libarchive/issues/1876.","fix_update_to_version_upstream","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-30402","https://nvd.nist.gov/vuln/detail/CVE-2023-30402","yasm","1.3.0","","","","2023A0000030402","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","4.13","4.13","4.14.0","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/233924" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-28938","https://nvd.nist.gov/vuln/detail/CVE-2023-28938","mdadm","4.2","4.2","4.2","mdadm","2023A0000028938","False","","fix_not_available","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-28736","https://nvd.nist.gov/vuln/detail/CVE-2023-28736","mdadm","4.2","4.2","4.2","mdadm","2023A0000028736","False","","fix_not_available","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-28115","https://nvd.nist.gov/vuln/detail/CVE-2023-28115","snappy","1.1.10","","","","2023A0000028115","False","","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-4135","https://nvd.nist.gov/vuln/detail/CVE-2023-4135","qemu","8.1.0","8.1.0","8.1.0","qemu","2023A0000004135","False","Fixed upstream in 8.1.0.","fix_not_available","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-4016","https://nvd.nist.gov/vuln/detail/CVE-2023-4016","procps","3.3.17","","","","2023A0000004016","False","See: https://gitlab.com/procps-ng/procps/-/issues/297. Notice: repology package name is procps-ng: https://repology.org/project/procps-ng/versions.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-3724","https://nvd.nist.gov/vuln/detail/CVE-2023-3724","wolfssl","5.5.4","5.5.4","5.6.3","wolfssl","2023A0000003724","False","Issue is fixed in 5.6.2: https://www.wolfssl.com/docs/security-vulnerabilities/. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/239027.","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/239027 -https://github.com/NixOS/nixpkgs/pull/246451" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-3354","https://nvd.nist.gov/vuln/detail/CVE-2023-3354","qemu","8.1.0","8.1.0","8.1.0","qemu","2023A0000003354","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-3180","https://nvd.nist.gov/vuln/detail/CVE-2023-3180","qemu","8.1.0","8.1.0","8.1.0","qemu","2023A0000003180","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/248659" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-3019","https://nvd.nist.gov/vuln/detail/CVE-2023-3019","qemu","8.1.0","8.1.0","8.1.0","qemu","2023A0000003019","False","Revisit when fixed upstream: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html.","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2023-1386","https://nvd.nist.gov/vuln/detail/CVE-2023-1386","qemu","8.1.0","8.1.0","8.1.0","qemu","2023A0000001386","False","Revisit when fixed upstream: https://github.com/v9fs/linux/issues/29.","fix_not_available","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2023-505","https://osv.dev/OSV-2023-505","file","5.45","5.45","5.45","file","2023A0000000505","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2023-390","https://osv.dev/OSV-2023-390","qemu","8.1.0","8.1.0","8.1.0","qemu","2023A0000000390","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2023-197","https://osv.dev/OSV-2023-197","p11-kit","0.25.0","0.25.0","0.25.0","p11-kit","2023A0000000197","False","","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2023-137","https://osv.dev/OSV-2023-137","harfbuzz","7.3.0","","","","2023A0000000137","True","Based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56510#c2, the issue is fixed in range https://github.com/harfbuzz/harfbuzz/compare/67e01c1292821e7b6fc2ab13acddb84ab41b2187...60841e26187576bff477c1a09ee2ffe544844abc all of which have been merged in 7.1.0.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-42969","https://nvd.nist.gov/vuln/detail/CVE-2022-42969","py","1.11.0","","","","2022A0000042969","True","Disputed upstream: https://github.com/pytest-dev/py/issues/287#issuecomment-1283567565.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","PYSEC-2022-42969","https://osv.dev/PYSEC-2022-42969","py","1.11.0","","","","2022A0000042969","True","Same as CVE-2022-42969.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-38663","https://nvd.nist.gov/vuln/detail/CVE-2022-38663","git","2.41.0","","","","2022A0000038663","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-36884","https://nvd.nist.gov/vuln/detail/CVE-2022-36884","git","2.41.0","","","","2022A0000036884","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-36883","https://nvd.nist.gov/vuln/detail/CVE-2022-36883","git","2.41.0","","","","2022A0000036883","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-36882","https://nvd.nist.gov/vuln/detail/CVE-2022-36882","git","2.41.0","","","","2022A0000036882","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-30949","https://nvd.nist.gov/vuln/detail/CVE-2022-30949","git","2.41.0","","","","2022A0000030949","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-30948","https://nvd.nist.gov/vuln/detail/CVE-2022-30948","git","2.41.0","","","","2022A0000030948","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-30947","https://nvd.nist.gov/vuln/detail/CVE-2022-30947","git","2.41.0","","","","2022A0000030947","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-28321","https://nvd.nist.gov/vuln/detail/CVE-2022-28321","linux-pam","1.5.2","","","","2022A0000028321","True","Only impacts SUSE-specific patch version. Notice: repology package name is pam: https://repology.org/project/pam/versions.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","MAL-2022-4301","https://osv.dev/MAL-2022-4301","libidn2","2.3.4","","","","2022A0000004301","True","Incorrect package: Issue refers npm libidn2, whereas, nixpkgs refers libidn2 https://gitlab.com/libidn/libidn2.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2022-3219","https://nvd.nist.gov/vuln/detail/CVE-2022-3219","gnupg","2.4.1","","","","2022A0000003219","True","Fix patch is not accepted upstream: https://dev.gnupg.org/D556.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-1193","https://osv.dev/OSV-2022-1193","libarchive","3.6.2","","","","2022A0000001193","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53594#c3.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-842","https://osv.dev/OSV-2022-842","wolfssl","5.5.4","5.5.4","5.6.3","wolfssl","2022A0000000842","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-725","https://osv.dev/OSV-2022-725","libjxl","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000725","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-608","https://osv.dev/OSV-2022-608","libjxl","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000608","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-581","https://osv.dev/OSV-2022-581","qemu","8.1.0","8.1.0","8.1.0","qemu","2022A0000000581","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-193","https://osv.dev/OSV-2022-193","w3m","0.5.3+git20230121","0.5.3+git20230121","0.5.3+git20230121","w3m","2022A0000000193","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2022-183","https://osv.dev/OSV-2022-183","binutils","2.40","","","","2022A0000000183","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44864#c2.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33468","https://nvd.nist.gov/vuln/detail/CVE-2021-33468","yasm","1.3.0","","","","2021A0000033468","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33467","https://nvd.nist.gov/vuln/detail/CVE-2021-33467","yasm","1.3.0","","","","2021A0000033467","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33466","https://nvd.nist.gov/vuln/detail/CVE-2021-33466","yasm","1.3.0","","","","2021A0000033466","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33465","https://nvd.nist.gov/vuln/detail/CVE-2021-33465","yasm","1.3.0","","","","2021A0000033465","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33464","https://nvd.nist.gov/vuln/detail/CVE-2021-33464","yasm","1.3.0","","","","2021A0000033464","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33463","https://nvd.nist.gov/vuln/detail/CVE-2021-33463","yasm","1.3.0","","","","2021A0000033463","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33462","https://nvd.nist.gov/vuln/detail/CVE-2021-33462","yasm","1.3.0","","","","2021A0000033462","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33461","https://nvd.nist.gov/vuln/detail/CVE-2021-33461","yasm","1.3.0","","","","2021A0000033461","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33460","https://nvd.nist.gov/vuln/detail/CVE-2021-33460","yasm","1.3.0","","","","2021A0000033460","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33459","https://nvd.nist.gov/vuln/detail/CVE-2021-33459","yasm","1.3.0","","","","2021A0000033459","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33458","https://nvd.nist.gov/vuln/detail/CVE-2021-33458","yasm","1.3.0","","","","2021A0000033458","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33457","https://nvd.nist.gov/vuln/detail/CVE-2021-33457","yasm","1.3.0","","","","2021A0000033457","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33456","https://nvd.nist.gov/vuln/detail/CVE-2021-33456","yasm","1.3.0","","","","2021A0000033456","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33455","https://nvd.nist.gov/vuln/detail/CVE-2021-33455","yasm","1.3.0","","","","2021A0000033455","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-33454","https://nvd.nist.gov/vuln/detail/CVE-2021-33454","yasm","1.3.0","","","","2021A0000033454","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-26945","https://nvd.nist.gov/vuln/detail/CVE-2021-26945","openexr","2.5.8","","","","2021A0000026945","True","Fix patch https://github.com/AcademySoftwareFoundation/openexr/pull/930/commits/b73ec53bd24ba116d7bf48ebdc868301c596706e modifies a file that is not available in openexr 2. Thus, the fix doesn't apply to 2.5.8.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-26260","https://nvd.nist.gov/vuln/detail/CVE-2021-26260","openexr","2.5.8","","","","2021A0000026260","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d which went to 2.5.5.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-23215","https://nvd.nist.gov/vuln/detail/CVE-2021-23215","openexr","2.5.8","","","","2021A0000023215","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d which went to 2.5.5.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-23169","https://nvd.nist.gov/vuln/detail/CVE-2021-23169","openexr","2.5.8","","","","2021A0000023169","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-21684","https://nvd.nist.gov/vuln/detail/CVE-2021-21684","git","2.41.0","","","","2021A0000021684","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-20255","https://nvd.nist.gov/vuln/detail/CVE-2021-20255","qemu","8.1.0","","","","2021A0000020255","True","Upstream patch not merged: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html. No point fixing this in nixpkgs as long as it is not fixed upstream.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-4336","https://nvd.nist.gov/vuln/detail/CVE-2021-4336","ninja","1.11.1","","","","2021A0000004336","True","Incorrect package: nixpkgs 'ninja' refers https://github.com/ninja-build/ninja, not https://github.com/ITRS-Group/monitor-ninja.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-4217","https://nvd.nist.gov/vuln/detail/CVE-2021-4217","unzip","6.0","","","","2021A0000004217","True","Ignored by other distribution as 'no security impact', e.g. Debian: https://security-tracker.debian.org/tracker/CVE-2021-4217.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-3605","https://nvd.nist.gov/vuln/detail/CVE-2021-3605","openexr","2.5.8","","","","2021A0000003605","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2021-3598","https://nvd.nist.gov/vuln/detail/CVE-2021-3598","openexr","2.5.8","","","","2021A0000003598","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2021-820","https://osv.dev/OSV-2021-820","qemu","8.1.0","","","","2021A0000000820","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34831#c2.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2021-777","https://osv.dev/OSV-2021-777","libxml2","2.11.4","","","","2021A0000000777","True","Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325, which went to 2.9.13. Therefore, this issue is fixed in 2.10.4.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2020-16194","https://nvd.nist.gov/vuln/detail/CVE-2020-16194","quote","1.0.20","","","","2020A0000016194","True","Incorrect package: Issue concerns prestashop product: https://prestashop.com/, whereas, nixpkgs ""quote"" refers rust package 'quote': https://docs.rs/quote/latest/quote/.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2020-2136","https://nvd.nist.gov/vuln/detail/CVE-2020-2136","git","2.41.0","2.41.0","2.42.0","git","2020A0000002136","False","","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/82872 -https://github.com/NixOS/nixpkgs/pull/84664" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2020-1610","https://osv.dev/OSV-2020-1610","openexr","2.5.8","3.1.10","3.2.0","openexr","2020A0000001610","False","","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2020-438","https://osv.dev/OSV-2020-438","capstone","4.0.2","4.0.2","5.0.1","capstone","2020A0000000438","False","","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","OSV-2020-438","https://osv.dev/OSV-2020-438","capstone","4.0.2","4.0.2","5.0.1","python:capstone","2020A0000000438","False","","err_not_vulnerable_based_on_repology","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-1003010","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010","git","2.41.0","","","","2019A0001003010","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-20633","https://nvd.nist.gov/vuln/detail/CVE-2019-20633","patch","2.7.6","","","","2019A0000020633","True","Upstream patch is not merged: https://savannah.gnu.org/bugs/index.php?56683. Not sure why this isn't fixed upstream. No point fixing this in nixpkgs as long as it is not fixed upstream.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","3.11.0","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","2.9.9","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","3.11.0","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","2.9.9","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-12749","https://nvd.nist.gov/vuln/detail/CVE-2019-12749","dbus","1","","","","2019A0000012749","True","Fixed with https://github.com/NixOS/nixpkgs/pull/63021 (dbus version '1' in nixpkgs currently refers 1.14.8).","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-12067","https://nvd.nist.gov/vuln/detail/CVE-2019-12067","qemu","8.1.0","","","","2019A0000012067","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-6470","https://nvd.nist.gov/vuln/detail/CVE-2019-6470","bind","9.18.18","","","","2019A0000006470","True","Not valid: https://github.com/NixOS/nixpkgs/issues/73617#issuecomment-569491606.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-6462","https://nvd.nist.gov/vuln/detail/CVE-2019-6462","cairo","1.16.0","","","","2019A0000006462","True","Not a valid: https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-6461","https://nvd.nist.gov/vuln/detail/CVE-2019-6461","cairo","1.16.0","","","","2019A0000006461","True","Not valid: https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2019-6293","https://nvd.nist.gov/vuln/detail/CVE-2019-6293","flex","2.6.4","","","","2019A0000006293","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2018-1000182","https://nvd.nist.gov/vuln/detail/CVE-2018-1000182","git","2.41.0","","","","2018A0001000182","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2018-1000110","https://nvd.nist.gov/vuln/detail/CVE-2018-1000110","git","2.41.0","","","","2018A0001000110","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2018-18438","https://nvd.nist.gov/vuln/detail/CVE-2018-18438","qemu","8.1.0","","","","2018A0000018438","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2017-5436","https://nvd.nist.gov/vuln/detail/CVE-2017-5436","graphite2","1.3.14","","","","2017A0000005436","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-6131","https://nvd.nist.gov/vuln/detail/CVE-2016-6131","libiberty","12.3.0","","","","2016A0000006131","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4493","https://nvd.nist.gov/vuln/detail/CVE-2016-4493","libiberty","12.3.0","","","","2016A0000004493","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4492","https://nvd.nist.gov/vuln/detail/CVE-2016-4492","libiberty","12.3.0","","","","2016A0000004492","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4491","https://nvd.nist.gov/vuln/detail/CVE-2016-4491","libiberty","12.3.0","","","","2016A0000004491","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4490","https://nvd.nist.gov/vuln/detail/CVE-2016-4490","libiberty","12.3.0","","","","2016A0000004490","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4489","https://nvd.nist.gov/vuln/detail/CVE-2016-4489","libiberty","12.3.0","","","","2016A0000004489","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4488","https://nvd.nist.gov/vuln/detail/CVE-2016-4488","libiberty","12.3.0","","","","2016A0000004488","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-4487","https://nvd.nist.gov/vuln/detail/CVE-2016-4487","libiberty","12.3.0","","","","2016A0000004487","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-2781","https://nvd.nist.gov/vuln/detail/CVE-2016-2781","coreutils","9.3","","","","2016A0000002781","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2016-2226","https://nvd.nist.gov/vuln/detail/CVE-2016-2226","libiberty","12.3.0","","","","2016A0000002226","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2015-7313","https://nvd.nist.gov/vuln/detail/CVE-2015-7313","libtiff","4.5.1","","","","2015A0000007313","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2014-9157","https://nvd.nist.gov/vuln/detail/CVE-2014-9157","graphviz","8.1.0","","","","2014A0000009157","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2012-3509","https://nvd.nist.gov/vuln/detail/CVE-2012-3509","libiberty","12.3.0","","","","2012A0000003509","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" -"packages.riscv64-linux.microchip-icicle-kit-release","github:tiiuae/ghaf?ref=main","nix_unstable","CVE-2010-4226","https://nvd.nist.gov/vuln/detail/CVE-2010-4226","cpio","2.14","","","","2010A0000004226","True","NVD data issue: concerns OpenSuSE, not cpio.","err_missing_repology_version","" diff --git a/reports/main/packages.riscv64-linux.microchip-icicle-kit-release.md b/reports/main/packages.riscv64-linux.microchip-icicle-kit-release.md index ca995df..60318df 100644 --- a/reports/main/packages.riscv64-linux.microchip-icicle-kit-release.md +++ b/reports/main/packages.riscv64-linux.microchip-icicle-kit-release.md @@ -6,10 +6,11 @@ SPDX-License-Identifier: CC-BY-SA-4.0 # Vulnerability Report -This vulnerability report is generated for Ghaf target '`github:tiiuae/ghaf?ref=main#packages.riscv64-linux.microchip-icicle-kit-release`'. The tables on this page include known vulnerabilities impacting any buildtime or runtime dependencies of the given target. +This vulnerability report is generated for Ghaf target `github:tiiuae/ghaf?ref=main#packages.riscv64-linux.microchip-icicle-kit-release` revision `b0ad0719c70e4f9f93135f9aeb714f5131a5e2c3`. The tables on this page include known vulnerabilities impacting buildtime or runtime dependencies of the given target. This report is automatically generated as specified on the [Vulnerability Scan](../.github/workflows/vulnerability-scan.yml) GitHub action workflow. It uses the tooling from [sbomnix](https://github.com/tiiuae/sbomnix) repository, such as [vulnxscan](https://github.com/tiiuae/sbomnix/tree/main/scripts/vulnxscan), as well as the manual analysis results maintained in the [manual_analysis.csv](../manual_analysis.csv) file. +See section [Theory of Operation](https://github.com/tiiuae/ghafscan#theory-of-operation) in the [ghafscan README.md](https://github.com/tiiuae/ghafscan/blob/main/README.md) for details of how the data on this report is generated. Reports ================= @@ -27,42 +28,20 @@ Following table lists vulnerabilities that have been fixed in the nixpkgs channe Update the target Ghaf [flake.lock](https://github.com/tiiuae/ghaf/blob/main/flake.lock) file to mitigate the following issues: -| vuln_id | package | version_local | nix_unstable | upstream | comment | -|-------------------------------------------------------------------|-----------|-----------------|----------------|------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| [CVE-2023-37769](https://nvd.nist.gov/vuln/detail/CVE-2023-37769) | pixman | 0.42.2 | 0.42.2 | 0.42.2 | See: [link](https://gitlab.freedesktop.org/pixman/pixman/-/issues/76): "This somehow got assigned CVE-2023-37769, not sure why NVD keeps assigning CVEs like this. This is just a test executable". | -| [CVE-2023-28115](https://nvd.nist.gov/vuln/detail/CVE-2023-28115) | snappy | 1.1.10 | | | | -| [CVE-2023-4135](https://nvd.nist.gov/vuln/detail/CVE-2023-4135) | qemu | 8.1.0 | 8.1.0 | 8.1.0 | Fixed upstream in 8.1.0. | -| [CVE-2023-3724](https://nvd.nist.gov/vuln/detail/CVE-2023-3724) | wolfssl | 5.5.4 | 5.5.4 | 5.6.3 | Issue is fixed in 5.6.2: [link](https://www.wolfssl.com/docs/security-vulnerabilities/). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/239027). *[[PR](https://github.com/NixOS/nixpkgs/pull/239027), [PR](https://github.com/NixOS/nixpkgs/pull/246451)]* | -| [CVE-2023-3354](https://nvd.nist.gov/vuln/detail/CVE-2023-3354) | qemu | 8.1.0 | 8.1.0 | 8.1.0 | Fixed in 8.0.4: [link](https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/251036). *[[PR](https://github.com/NixOS/nixpkgs/pull/248659)]* | -| [CVE-2023-3180](https://nvd.nist.gov/vuln/detail/CVE-2023-3180) | qemu | 8.1.0 | 8.1.0 | 8.1.0 | Fixed in 8.0.4: [link](https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/251036). *[[PR](https://github.com/NixOS/nixpkgs/pull/248659)]* | -| [CVE-2023-3019](https://nvd.nist.gov/vuln/detail/CVE-2023-3019) | qemu | 8.1.0 | 8.1.0 | 8.1.0 | Revisit when fixed upstream: [link](https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html). | -| [CVE-2023-1386](https://nvd.nist.gov/vuln/detail/CVE-2023-1386) | qemu | 8.1.0 | 8.1.0 | 8.1.0 | Revisit when fixed upstream: [link](https://github.com/v9fs/linux/issues/29). | -| [OSV-2023-390](https://osv.dev/OSV-2023-390) | qemu | 8.1.0 | 8.1.0 | 8.1.0 | Unclear if this is still valid. | -| [OSV-2023-197](https://osv.dev/OSV-2023-197) | p11-kit | 0.25.0 | 0.25.0 | 0.25.0 | | -| [OSV-2022-842](https://osv.dev/OSV-2022-842) | wolfssl | 5.5.4 | 5.5.4 | 5.6.3 | Unclear if this is still valid. | -| [OSV-2022-725](https://osv.dev/OSV-2022-725) | libjxl | 0.8.2 | 0.8.2 | 0.8.2 | Unclear if this is still valid. | -| [OSV-2022-608](https://osv.dev/OSV-2022-608) | libjxl | 0.8.2 | 0.8.2 | 0.8.2 | Unclear if this is still valid. | -| [OSV-2022-581](https://osv.dev/OSV-2022-581) | qemu | 8.1.0 | 8.1.0 | 8.1.0 | Unclear if this is still valid. | -| [OSV-2020-1610](https://osv.dev/OSV-2020-1610) | openexr | 2.5.8 | 3.1.10 | 3.2.0 | | -| [OSV-2020-438](https://osv.dev/OSV-2020-438) | capstone | 4.0.2 | 4.0.2 | 5.0.1 | | +| vuln_id | package | version_local | nix_unstable | upstream | comment | +|-----------------------------------------------------------------|-----------|-----------------|----------------|------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [CVE-2023-3817](https://nvd.nist.gov/vuln/detail/CVE-2023-3817) | openssl | 3.0.9 | 3.1.0 | 3.1.0 | openssl LTS release 3.0.10 fixes the issue, nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/246579). *[[PR](https://github.com/NixOS/nixpkgs/pull/247537), [PR](https://github.com/NixOS/nixpkgs/pull/248715)]* | ## Vulnerabilities Fixed in nix-unstable -Following table lists vulnerabilities that have been fixed in nixpgks nix-unstable channel, but the fixes have not been backported to the channel the Ghaf target is currently pinned to. +Following table lists vulnerabilities that have been fixed in nixpkgs nix-unstable channel, but the fixes have not been backported to the channel the Ghaf target is currently pinned to. Following issues potentially require backporting the fix from nixpkgs-unstable to the correct nixpkgs release branch. Consider [whitelisting](../manual_analysis.csv) possible false positives based on manual analysis, or - if determined valid - help nixpkgs community backport the fix to the correct nixpkgs branch: - -| vuln_id | package | version_local | nix_unstable | upstream | comment | -|-------------------------------------------------------------------|-----------|-----------------|----------------|------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| [CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) | perl | 5.36.0 | 5.38.0 | 5.38.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/241848), [PR](https://github.com/NixOS/nixpkgs/pull/247547)]* | -| [CVE-2023-2610](https://nvd.nist.gov/vuln/detail/CVE-2023-2610) | vim | 9.0.1441 | 9.0.1642 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | -| [CVE-2023-2609](https://nvd.nist.gov/vuln/detail/CVE-2023-2609) | vim | 9.0.1441 | 9.0.1642 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | -| [CVE-2023-2426](https://nvd.nist.gov/vuln/detail/CVE-2023-2426) | vim | 9.0.1441 | 9.0.1642 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | - +```Error evaluating 'packages.riscv64-linux.microchip-icicle-kit-release' on nix_unstable``` ## New Vulnerabilities Since Last Run @@ -71,7 +50,15 @@ Following table lists vulnerabilities currently impacting the Ghaf target that h Consider [whitelisting](../manual_analysis.csv) possible false positives based on manual analysis, or - if determined valid - help nixpkgs community fix the following issues in nixpkgs: -```No vulnerabilities``` + +| vuln_id | package | version_local | nix_unstable | upstream | comment | +|-------------------------------------------------------------------|-----------|-----------------|----------------|------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) | perl | 5.36.0 | 5.38.0 | 5.38.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/241848), [PR](https://github.com/NixOS/nixpkgs/pull/247547)]* | +| [CVE-2023-3817](https://nvd.nist.gov/vuln/detail/CVE-2023-3817) | openssl | 3.0.9 | 3.1.0 | 3.1.0 | openssl LTS release 3.0.10 fixes the issue, nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/246579). *[[PR](https://github.com/NixOS/nixpkgs/pull/247537), [PR](https://github.com/NixOS/nixpkgs/pull/248715)]* | +| [CVE-2023-2610](https://nvd.nist.gov/vuln/detail/CVE-2023-2610) | vim | 9.0.1441 | 9.0.1811 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-2609](https://nvd.nist.gov/vuln/detail/CVE-2023-2609) | vim | 9.0.1441 | 9.0.1811 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-2426](https://nvd.nist.gov/vuln/detail/CVE-2023-2426) | vim | 9.0.1441 | 9.0.1811 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | + ## All Vulnerabilities Impacting Ghaf @@ -83,33 +70,22 @@ Consider [whitelisting](../manual_analysis.csv) possible false positives based o | vuln_id | package | version_local | nix_unstable | upstream | comment | |-------------------------------------------------------------------|------------|------------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| [GHSA-wrrj-h57r-vx9p](https://osv.dev/GHSA-wrrj-h57r-vx9p) | cargo | 1.71.1 | 0.4.9 | 0.4.9 | | +| [GHSA-wrrj-h57r-vx9p](https://osv.dev/GHSA-wrrj-h57r-vx9p) | cargo | 1.69.0 | 0.4.9 | 0.4.9 | | | [GHSA-w596-4wvx-j9j6](https://osv.dev/GHSA-w596-4wvx-j9j6) | py | 1.11.0 | 1.11.0 | 1.11.0 | | | [CVE-2023-39742](https://nvd.nist.gov/vuln/detail/CVE-2023-39742) | giflib | 5.2.1 | 5.2.1 | 5.2.1 | | -| [CVE-2023-37769](https://nvd.nist.gov/vuln/detail/CVE-2023-37769) | pixman | 0.42.2 | 0.42.2 | 0.42.2 | See: [link](https://gitlab.freedesktop.org/pixman/pixman/-/issues/76): "This somehow got assigned CVE-2023-37769, not sure why NVD keeps assigning CVEs like this. This is just a test executable". | +| [CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) | perl | 5.36.0 | 5.38.0 | 5.38.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/241848), [PR](https://github.com/NixOS/nixpkgs/pull/247547)]* | | [CVE-2023-30571](https://nvd.nist.gov/vuln/detail/CVE-2023-30571) | libarchive | 3.6.2 | 3.6.2 | 3.7.1 | No upstream fix available, see: [link](https://github.com/libarchive/libarchive/issues/1876). | | [CVE-2023-29383](https://nvd.nist.gov/vuln/detail/CVE-2023-29383) | shadow | 4.13 | 4.13 | 4.14.0 | Pending merge for nixpkgs master PR: [link](https://github.com/NixOS/nixpkgs/pull/233924). TODO: consider taking the upstream version update to 4.14 instead: [link](https://github.com/shadow-maint/shadow/releases). *[[PR](https://github.com/NixOS/nixpkgs/pull/233924)]* | | [CVE-2023-28938](https://nvd.nist.gov/vuln/detail/CVE-2023-28938) | mdadm | 4.2 | 4.2 | 4.2 | | | [CVE-2023-28736](https://nvd.nist.gov/vuln/detail/CVE-2023-28736) | mdadm | 4.2 | 4.2 | 4.2 | | -| [CVE-2023-28115](https://nvd.nist.gov/vuln/detail/CVE-2023-28115) | snappy | 1.1.10 | | | | -| [CVE-2023-4135](https://nvd.nist.gov/vuln/detail/CVE-2023-4135) | qemu | 8.1.0 | 8.1.0 | 8.1.0 | Fixed upstream in 8.1.0. | | [CVE-2023-4016](https://nvd.nist.gov/vuln/detail/CVE-2023-4016) | procps | 3.3.17 | | | See: [link](https://gitlab.com/procps-ng/procps/-/issues/297). Notice: repology package name is procps-ng: [link](https://repology.org/project/procps-ng/versions). | -| [CVE-2023-3724](https://nvd.nist.gov/vuln/detail/CVE-2023-3724) | wolfssl | 5.5.4 | 5.5.4 | 5.6.3 | Issue is fixed in 5.6.2: [link](https://www.wolfssl.com/docs/security-vulnerabilities/). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/239027). *[[PR](https://github.com/NixOS/nixpkgs/pull/239027), [PR](https://github.com/NixOS/nixpkgs/pull/246451)]* | -| [CVE-2023-3354](https://nvd.nist.gov/vuln/detail/CVE-2023-3354) | qemu | 8.1.0 | 8.1.0 | 8.1.0 | Fixed in 8.0.4: [link](https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/251036). *[[PR](https://github.com/NixOS/nixpkgs/pull/248659)]* | -| [CVE-2023-3180](https://nvd.nist.gov/vuln/detail/CVE-2023-3180) | qemu | 8.1.0 | 8.1.0 | 8.1.0 | Fixed in 8.0.4: [link](https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/251036). *[[PR](https://github.com/NixOS/nixpkgs/pull/248659)]* | -| [CVE-2023-3019](https://nvd.nist.gov/vuln/detail/CVE-2023-3019) | qemu | 8.1.0 | 8.1.0 | 8.1.0 | Revisit when fixed upstream: [link](https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html). | -| [CVE-2023-1386](https://nvd.nist.gov/vuln/detail/CVE-2023-1386) | qemu | 8.1.0 | 8.1.0 | 8.1.0 | Revisit when fixed upstream: [link](https://github.com/v9fs/linux/issues/29). | -| [OSV-2023-505](https://osv.dev/OSV-2023-505) | file | 5.45 | 5.45 | 5.45 | Unclear if this is still valid. | -| [OSV-2023-390](https://osv.dev/OSV-2023-390) | qemu | 8.1.0 | 8.1.0 | 8.1.0 | Unclear if this is still valid. | -| [OSV-2023-197](https://osv.dev/OSV-2023-197) | p11-kit | 0.25.0 | 0.25.0 | 0.25.0 | | -| [OSV-2022-842](https://osv.dev/OSV-2022-842) | wolfssl | 5.5.4 | 5.5.4 | 5.6.3 | Unclear if this is still valid. | -| [OSV-2022-725](https://osv.dev/OSV-2022-725) | libjxl | 0.8.2 | 0.8.2 | 0.8.2 | Unclear if this is still valid. | -| [OSV-2022-608](https://osv.dev/OSV-2022-608) | libjxl | 0.8.2 | 0.8.2 | 0.8.2 | Unclear if this is still valid. | -| [OSV-2022-581](https://osv.dev/OSV-2022-581) | qemu | 8.1.0 | 8.1.0 | 8.1.0 | Unclear if this is still valid. | +| [CVE-2023-3817](https://nvd.nist.gov/vuln/detail/CVE-2023-3817) | openssl | 3.0.9 | 3.1.0 | 3.1.0 | openssl LTS release 3.0.10 fixes the issue, nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/246579). *[[PR](https://github.com/NixOS/nixpkgs/pull/247537), [PR](https://github.com/NixOS/nixpkgs/pull/248715)]* | +| [CVE-2023-2610](https://nvd.nist.gov/vuln/detail/CVE-2023-2610) | vim | 9.0.1441 | 9.0.1811 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-2609](https://nvd.nist.gov/vuln/detail/CVE-2023-2609) | vim | 9.0.1441 | 9.0.1811 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-2426](https://nvd.nist.gov/vuln/detail/CVE-2023-2426) | vim | 9.0.1441 | 9.0.1811 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [OSV-2023-505](https://osv.dev/OSV-2023-505) | file | 5.44 | 5.45 | 5.45 | Unclear if this is still valid. | | [OSV-2022-193](https://osv.dev/OSV-2022-193) | w3m | 0.5.3+git2023012 | 0.5.3+git2023012 | 0.5.3+git2023012 | Unclear if this is still valid. | -| [CVE-2020-2136](https://nvd.nist.gov/vuln/detail/CVE-2020-2136) | git | 2.41.0 | 2.41.0 | 2.42.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/82872), [PR](https://github.com/NixOS/nixpkgs/pull/84664)]* | -| [OSV-2020-1610](https://osv.dev/OSV-2020-1610) | openexr | 2.5.8 | 3.1.10 | 3.2.0 | | -| [OSV-2020-438](https://osv.dev/OSV-2020-438) | capstone | 4.0.2 | 4.0.2 | 5.0.1 | | +| [CVE-2020-2136](https://nvd.nist.gov/vuln/detail/CVE-2020-2136) | git | 2.40.1 | 2.41.0 | 2.42.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/82872), [PR](https://github.com/NixOS/nixpkgs/pull/84664)]* | diff --git a/reports/main/packages.x86_64-linux.generic-x86_64-release.md b/reports/main/packages.x86_64-linux.generic-x86_64-release.md index a9f03d1..850b81c 100644 --- a/reports/main/packages.x86_64-linux.generic-x86_64-release.md +++ b/reports/main/packages.x86_64-linux.generic-x86_64-release.md @@ -6,10 +6,11 @@ SPDX-License-Identifier: CC-BY-SA-4.0 # Vulnerability Report -This vulnerability report is generated for Ghaf target '`github:tiiuae/ghaf?ref=main#packages.x86_64-linux.generic-x86_64-release`'. The tables on this page include known vulnerabilities impacting any buildtime or runtime dependencies of the given target. +This vulnerability report is generated for Ghaf target `github:tiiuae/ghaf?ref=main#packages.x86_64-linux.generic-x86_64-release` revision `b0ad0719c70e4f9f93135f9aeb714f5131a5e2c3`. The tables on this page include known vulnerabilities impacting buildtime or runtime dependencies of the given target. This report is automatically generated as specified on the [Vulnerability Scan](../.github/workflows/vulnerability-scan.yml) GitHub action workflow. It uses the tooling from [sbomnix](https://github.com/tiiuae/sbomnix) repository, such as [vulnxscan](https://github.com/tiiuae/sbomnix/tree/main/scripts/vulnxscan), as well as the manual analysis results maintained in the [manual_analysis.csv](../manual_analysis.csv) file. +See section [Theory of Operation](https://github.com/tiiuae/ghafscan#theory-of-operation) in the [ghafscan README.md](https://github.com/tiiuae/ghafscan/blob/main/README.md) for details of how the data on this report is generated. Reports ================= @@ -47,24 +48,25 @@ Update the target Ghaf [flake.lock](https://github.com/tiiuae/ghaf/blob/main/fla ## Vulnerabilities Fixed in nix-unstable -Following table lists vulnerabilities that have been fixed in nixpgks nix-unstable channel, but the fixes have not been backported to the channel the Ghaf target is currently pinned to. +Following table lists vulnerabilities that have been fixed in nixpkgs nix-unstable channel, but the fixes have not been backported to the channel the Ghaf target is currently pinned to. Following issues potentially require backporting the fix from nixpkgs-unstable to the correct nixpkgs release branch. Consider [whitelisting](../manual_analysis.csv) possible false positives based on manual analysis, or - if determined valid - help nixpkgs community backport the fix to the correct nixpkgs branch: -| vuln_id | package | version_local | nix_unstable | upstream | comment | -|-------------------------------------------------------------------|-----------|-----------------|----------------|------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| [CVE-2023-40360](https://nvd.nist.gov/vuln/detail/CVE-2023-40360) | qemu | 8.0.4 | 8.1.0 | 8.1.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/251154)]* | -| [CVE-2023-40359](https://nvd.nist.gov/vuln/detail/CVE-2023-40359) | xterm | 379 | 384 | 384 | Requested backport for PR: [link](https://github.com/NixOS/nixpkgs/pull/244141). *[[PR](https://github.com/NixOS/nixpkgs/pull/244141)]* | -| [CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) | perl | 5.36.0-env | 5.38.0 | 5.38.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/241848), [PR](https://github.com/NixOS/nixpkgs/pull/247547)]* | -| [CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) | perl | 5.36.0 | 5.38.0 | 5.38.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/241848), [PR](https://github.com/NixOS/nixpkgs/pull/247547)]* | -| [CVE-2023-2610](https://nvd.nist.gov/vuln/detail/CVE-2023-2610) | vim | 9.0.1441 | 9.0.1642 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | -| [CVE-2023-2609](https://nvd.nist.gov/vuln/detail/CVE-2023-2609) | vim | 9.0.1441 | 9.0.1642 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | -| [CVE-2023-2426](https://nvd.nist.gov/vuln/detail/CVE-2023-2426) | vim | 9.0.1441 | 9.0.1642 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | -| [CVE-2022-0856](https://nvd.nist.gov/vuln/detail/CVE-2022-0856) | libcaca | 0.99.beta20 | 0.99.beta20 | | Not fixed upstream: [link](https://github.com/cacalabs/libcaca/issues/65). | -| [OSV-2022-394](https://osv.dev/OSV-2022-394) | opencv | 4.7.0 | 4.7.0 | 4.8.0 | | +| vuln_id | package | version_local | nix_unstable | upstream | comment | +|-------------------------------------------------------------------|-----------|-----------------|----------------|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------| +| [GHSA-wrrj-h57r-vx9p](https://osv.dev/GHSA-wrrj-h57r-vx9p) | cargo | 1.69.0 | 0.4.9 | 0.4.9 | | +| [CVE-2023-40360](https://nvd.nist.gov/vuln/detail/CVE-2023-40360) | qemu | 8.0.4 | 8.1.0 | 8.1.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/251154)]* | +| [CVE-2023-40359](https://nvd.nist.gov/vuln/detail/CVE-2023-40359) | xterm | 379 | 384 | 384 | Requested backport for PR: [link](https://github.com/NixOS/nixpkgs/pull/244141). *[[PR](https://github.com/NixOS/nixpkgs/pull/244141)]* | +| [CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) | perl | 5.36.0-env | 5.38.0 | 5.38.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/241848), [PR](https://github.com/NixOS/nixpkgs/pull/247547)]* | +| [CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) | perl | 5.36.0 | 5.38.0 | 5.38.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/241848), [PR](https://github.com/NixOS/nixpkgs/pull/247547)]* | +| [CVE-2023-2610](https://nvd.nist.gov/vuln/detail/CVE-2023-2610) | vim | 9.0.1441 | 9.0.1811 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-2609](https://nvd.nist.gov/vuln/detail/CVE-2023-2609) | vim | 9.0.1441 | 9.0.1811 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-2426](https://nvd.nist.gov/vuln/detail/CVE-2023-2426) | vim | 9.0.1441 | 9.0.1811 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2022-0856](https://nvd.nist.gov/vuln/detail/CVE-2022-0856) | libcaca | 0.99.beta20 | 0.99.beta20 | | Not fixed upstream: [link](https://github.com/cacalabs/libcaca/issues/65). | +| [OSV-2022-394](https://osv.dev/OSV-2022-394) | opencv | 4.7.0 | 4.7.0 | 4.8.0 | | @@ -114,9 +116,9 @@ Consider [whitelisting](../manual_analysis.csv) possible false positives based o | [CVE-2023-3354](https://nvd.nist.gov/vuln/detail/CVE-2023-3354) | qemu | 8.0.2 | 8.1.0 | 8.1.0 | Fixed in 8.0.4: [link](https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/251036). *[[PR](https://github.com/NixOS/nixpkgs/pull/248659)]* | | [CVE-2023-3180](https://nvd.nist.gov/vuln/detail/CVE-2023-3180) | qemu | 8.0.2 | 8.1.0 | 8.1.0 | Fixed in 8.0.4: [link](https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/251036). *[[PR](https://github.com/NixOS/nixpkgs/pull/248659)]* | | [CVE-2023-3019](https://nvd.nist.gov/vuln/detail/CVE-2023-3019) | qemu | 8.0.2 | 8.1.0 | 8.1.0 | Revisit when fixed upstream: [link](https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html). | -| [CVE-2023-2610](https://nvd.nist.gov/vuln/detail/CVE-2023-2610) | vim | 9.0.1441 | 9.0.1642 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | -| [CVE-2023-2609](https://nvd.nist.gov/vuln/detail/CVE-2023-2609) | vim | 9.0.1441 | 9.0.1642 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | -| [CVE-2023-2426](https://nvd.nist.gov/vuln/detail/CVE-2023-2426) | vim | 9.0.1441 | 9.0.1642 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/239484), [PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-2610](https://nvd.nist.gov/vuln/detail/CVE-2023-2610) | vim | 9.0.1441 | 9.0.1811 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-2609](https://nvd.nist.gov/vuln/detail/CVE-2023-2609) | vim | 9.0.1441 | 9.0.1811 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | +| [CVE-2023-2426](https://nvd.nist.gov/vuln/detail/CVE-2023-2426) | vim | 9.0.1441 | 9.0.1811 | 9.0.1882 | Consider backporting nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/239484) to 23.05. *[[PR](https://github.com/NixOS/nixpkgs/pull/251896)]* | | [CVE-2023-1386](https://nvd.nist.gov/vuln/detail/CVE-2023-1386) | qemu | 8.0.2 | 8.1.0 | 8.1.0 | Revisit when fixed upstream: [link](https://github.com/v9fs/linux/issues/29). | | [OSV-2023-505](https://osv.dev/OSV-2023-505) | file | 5.44 | 5.45 | 5.45 | Unclear if this is still valid. | | [OSV-2023-390](https://osv.dev/OSV-2023-390) | qemu | 8.0.2 | 8.1.0 | 8.1.0 | Unclear if this is still valid. |