From 772d97b89cfcb01b4131c3c804ad4dc252a927ec Mon Sep 17 00:00:00 2001 From: Henri Rosten Date: Wed, 8 Nov 2023 12:46:35 +0200 Subject: [PATCH] Update Ghaf release target branch Start scanning ghaf-23.09 release instead of ghaf-23.06. Signed-off-by: Henri Rosten --- .github/workflows/vulnerability-scan.yml | 4 +- README.md | 2 +- reports/ghaf-23.09/README.md | 12 + reports/ghaf-23.09/data.csv | 659 ++++++++++++++++++ reports/ghaf-23.09/data.csv.license | 3 + ...ges.x86_64-linux.generic-x86_64-release.md | 371 ++++++++++ 6 files changed, 1048 insertions(+), 3 deletions(-) create mode 100644 reports/ghaf-23.09/README.md create mode 100644 reports/ghaf-23.09/data.csv create mode 100644 reports/ghaf-23.09/data.csv.license create mode 100644 reports/ghaf-23.09/packages.x86_64-linux.generic-x86_64-release.md diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index bbe059e..c5f219c 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -24,8 +24,8 @@ jobs: nix_path: nixpkgs=channel:nixpkgs-unstable - name: Ghaf Vulnerability Scan (main) run: nix run .#ghafscan -- --verbose=2 --whitelist=manual_analysis.csv --outdir=reports/main --flakeref=github:tiiuae/ghaf?ref=main --target=packages.x86_64-linux.generic-x86_64-release --target=packages.riscv64-linux.microchip-icicle-kit-release - - name: Ghaf Vulnerability Scan (ghaf-23.06) - run: nix run .#ghafscan -- --verbose=2 --whitelist=manual_analysis.csv --outdir=reports/ghaf-23.06 --flakeref=github:tiiuae/ghaf?ref=ghaf-23.06 --target=packages.x86_64-linux.generic-x86_64-release + - name: Ghaf Vulnerability Scan (ghaf-23.09) + run: nix run .#ghafscan -- --verbose=2 --whitelist=manual_analysis.csv --outdir=reports/ghaf-23.09 --flakeref=github:tiiuae/ghaf?ref=ghaf-23.09 --target=packages.x86_64-linux.generic-x86_64-release - uses: stefanzweifel/git-auto-commit-action@v4 with: commit_message: Automatic vulnerability report update diff --git a/README.md b/README.md index 48769c6..a807496 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ The Ghaf [vulnerability reports](./reports/) available on this repository are au ## Example Reports - [Ghaf 'main' generic-x86_64-release](./reports/main/packages.x86_64-linux.generic-x86_64-release.md) - [Ghaf 'main' riscv64-linux.microchip-icicle-kit-release](./reports/main/packages.riscv64-linux.microchip-icicle-kit-release.md) -- [Ghaf 'ghaf-23.06' generic-x86_64-release](./reports/ghaf-23.06/packages.x86_64-linux.generic-x86_64-release.md) +- [Ghaf 'ghaf-23.09' generic-x86_64-release](./reports/ghaf-23.09/packages.x86_64-linux.generic-x86_64-release.md) ## Motivation diff --git a/reports/ghaf-23.09/README.md b/reports/ghaf-23.09/README.md new file mode 100644 index 0000000..d7caffb --- /dev/null +++ b/reports/ghaf-23.09/README.md @@ -0,0 +1,12 @@ + + +# Ghaf Vulnerability Reports + +See the following links for detailled Ghaf vulnerability reports: + +* [Vulnerability Report: 'packages.x86_64-linux.generic-x86_64-release'](packages.x86_64-linux.generic-x86_64-release.md) + diff --git a/reports/ghaf-23.09/data.csv b/reports/ghaf-23.09/data.csv new file mode 100644 index 0000000..d885f12 --- /dev/null +++ b/reports/ghaf-23.09/data.csv @@ -0,0 +1,659 @@ +"target","flakeref","pintype","vuln_id","url","package","severity","version_local","version_nixpkgs","version_upstream","package_repology","sortcol","whitelist","whitelist_comment","classify","nixpkgs_pr" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","GHSA-j7hp-h8jx-5ppr","https://osv.dev/GHSA-j7hp-h8jx-5ppr","electron","","25.7.0","27.0.0","27.0.3","electron","2023A1699142400","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","GHSA-qqvq-6xgj-jw8g","https://osv.dev/GHSA-qqvq-6xgj-jw8g","electron","","25.7.0","27.0.0","27.0.3","electron","2023A1696464000","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","GHSA-6898-wx94-8jq8","https://osv.dev/GHSA-6898-wx94-8jq8","libnotify","","0.8.2","","","","2023A1694131200","True","Incorrect package: Issue refers node-libnotify https://github.com/mytrile/node-libnotify, whereas nixpkgs refers gnome-libnotify https://gitlab.gnome.org/GNOME/libnotify.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","GHSA-wrrj-h57r-vx9p","https://osv.dev/GHSA-wrrj-h57r-vx9p","cargo","","1.69.0","","","","2023A1692835200","True","Duplicate to CVE-2023-40030.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","GHSA-w596-4wvx-j9j6","https://osv.dev/GHSA-w596-4wvx-j9j6","py","","1.11.0","1.11.0","1.11.0","python:py","2023A1691452800","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-46407","https://nvd.nist.gov/vuln/detail/CVE-2023-46407","ffmpeg","5.5","5.1.3","6.0","6.0","ffmpeg","2023A0000046407","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-46407","https://nvd.nist.gov/vuln/detail/CVE-2023-46407","ffmpeg","5.5","4.4.4","6.0","6.0","ffmpeg","2023A0000046407","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-46246","https://nvd.nist.gov/vuln/detail/CVE-2023-46246","vim","5.5","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000046246","False","","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-45853","https://nvd.nist.gov/vuln/detail/CVE-2023-45853","zlib","9.8","1.2.13","1.3","1.3","zlib","2023A0000045853","False","","fix_not_available","https://github.com/NixOS/nixpkgs/pull/262722 +https://github.com/NixOS/nixpkgs/pull/263083" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-45322","https://nvd.nist.gov/vuln/detail/CVE-2023-45322","libxml2","6.5","2.10.4","2.11.5","2.11.5","libxml2","2023A0000045322","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-44488","https://nvd.nist.gov/vuln/detail/CVE-2023-44488","libvpx","7.5","1.13.0","1.13.1","1.13.1","libvpx","2023A0000044488","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/258295 +https://github.com/NixOS/nixpkgs/pull/258350 +https://github.com/NixOS/nixpkgs/pull/259881 +https://github.com/NixOS/nixpkgs/pull/260189" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-44487","https://nvd.nist.gov/vuln/detail/CVE-2023-44487","nghttp2","7.5","1.51.0","1.57.0","1.58.0","nghttp2","2023A0000044487","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/259329 +https://github.com/NixOS/nixpkgs/pull/262022 +https://github.com/NixOS/nixpkgs/pull/262713 +https://github.com/NixOS/nixpkgs/pull/262718 +https://github.com/NixOS/nixpkgs/pull/262738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-44487","https://nvd.nist.gov/vuln/detail/CVE-2023-44487","go","7.5","1.20.7","1.21.3","1.21.4","go","2023A0000044487","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/259329 +https://github.com/NixOS/nixpkgs/pull/262022 +https://github.com/NixOS/nixpkgs/pull/262713 +https://github.com/NixOS/nixpkgs/pull/262718 +https://github.com/NixOS/nixpkgs/pull/262738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-44487","https://nvd.nist.gov/vuln/detail/CVE-2023-44487","go","7.5","1.17.13-linux-amd64-bootstrap","1.21.3","1.21.4","go","2023A0000044487","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/259329 +https://github.com/NixOS/nixpkgs/pull/262022 +https://github.com/NixOS/nixpkgs/pull/262713 +https://github.com/NixOS/nixpkgs/pull/262718 +https://github.com/NixOS/nixpkgs/pull/262738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-43789","https://nvd.nist.gov/vuln/detail/CVE-2023-43789","libXpm","5.5","3.5.15","3.5.17","3.5.17","libxpm","2023A0000043789","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/258841 +https://github.com/NixOS/nixpkgs/pull/258996" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-43788","https://nvd.nist.gov/vuln/detail/CVE-2023-43788","libXpm","5.5","3.5.15","3.5.17","3.5.17","libxpm","2023A0000043788","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-43787","https://nvd.nist.gov/vuln/detail/CVE-2023-43787","libX11","7.8","1.8.6","1.8.7","1.8.7","libx11","2023A0000043787","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/258841 +https://github.com/NixOS/nixpkgs/pull/258996" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-43786","https://nvd.nist.gov/vuln/detail/CVE-2023-43786","libX11","5.5","1.8.6","1.8.7","1.8.7","libx11","2023A0000043786","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/258841 +https://github.com/NixOS/nixpkgs/pull/258996" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-43785","https://nvd.nist.gov/vuln/detail/CVE-2023-43785","libX11","5.5","1.8.6","1.8.7","1.8.7","libx11","2023A0000043785","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/258841 +https://github.com/NixOS/nixpkgs/pull/258996" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-41330","https://nvd.nist.gov/vuln/detail/CVE-2023-41330","snappy","9.8","1.1.10","","","","2023A0000041330","True","Incorrect package: Issue concerns snappy php library: https://github.com/KnpLabs/snappy, whereas, nixpkgs ""snappy"" refers snappy compression library: https://google.github.io/snappy/. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-41175","https://nvd.nist.gov/vuln/detail/CVE-2023-41175","libtiff","6.5","4.5.1","4.5.1","4.6.0","tiff","2023A0000041175","False","","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/261791 +https://github.com/NixOS/nixpkgs/pull/264613" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-40745","https://nvd.nist.gov/vuln/detail/CVE-2023-40745","libtiff","6.5","4.5.1","4.5.1","4.6.0","tiff","2023A0000040745","False","","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/261791 +https://github.com/NixOS/nixpkgs/pull/264613" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-40360","https://nvd.nist.gov/vuln/detail/CVE-2023-40360","qemu","5.5","8.0.4","8.1.2","8.1.2","qemu","2023A0000040360","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/251154 +https://github.com/NixOS/nixpkgs/pull/261753" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-40359","https://nvd.nist.gov/vuln/detail/CVE-2023-40359","xterm","9.8","379","384","388","xterm","2023A0000040359","False","Backport to 23.05 ongoing in PR: https://github.com/NixOS/nixpkgs/pull/254541.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/244141 +https://github.com/NixOS/nixpkgs/pull/254541 +https://github.com/NixOS/nixpkgs/pull/258619" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-39742","https://nvd.nist.gov/vuln/detail/CVE-2023-39742","giflib","5.5","5.2.1","5.2.1","5.2.1","giflib","2023A0000039742","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-39325","https://nvd.nist.gov/vuln/detail/CVE-2023-39325","go","7.5","1.20.7","1.21.3","1.21.4","go","2023A0000039325","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/259329 +https://github.com/NixOS/nixpkgs/pull/262713 +https://github.com/NixOS/nixpkgs/pull/266176" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-39323","https://nvd.nist.gov/vuln/detail/CVE-2023-39323","go","9.8","1.20.7","1.21.3","1.21.4","go","2023A0000039323","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/259329 +https://github.com/NixOS/nixpkgs/pull/266176" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-39323","https://nvd.nist.gov/vuln/detail/CVE-2023-39323","go","9.8","1.17.13-linux-amd64-bootstrap","1.21.3","1.21.4","go","2023A0000039323","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/259329 +https://github.com/NixOS/nixpkgs/pull/266176" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-39319","https://nvd.nist.gov/vuln/detail/CVE-2023-39319","go","6.1","1.20.7","1.21.3","1.21.4","go","2023A0000039319","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/259329 +https://github.com/NixOS/nixpkgs/pull/266176" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-39319","https://nvd.nist.gov/vuln/detail/CVE-2023-39319","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.3","1.21.4","go","2023A0000039319","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/259329 +https://github.com/NixOS/nixpkgs/pull/266176" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-39318","https://nvd.nist.gov/vuln/detail/CVE-2023-39318","go","6.1","1.20.7","1.21.3","1.21.4","go","2023A0000039318","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/259329 +https://github.com/NixOS/nixpkgs/pull/266176" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-39318","https://nvd.nist.gov/vuln/detail/CVE-2023-39318","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.3","1.21.4","go","2023A0000039318","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/259329 +https://github.com/NixOS/nixpkgs/pull/266176" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-38858","https://nvd.nist.gov/vuln/detail/CVE-2023-38858","faad2","6.5","2.10.1","2.10.1","2.11.0","faad2","2023A0000038858","False","","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-38857","https://nvd.nist.gov/vuln/detail/CVE-2023-38857","faad2","5.5","2.10.1","2.10.1","2.11.0","faad2","2023A0000038857","False","","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-38039","https://nvd.nist.gov/vuln/detail/CVE-2023-38039","curl","7.5","8.1.1","8.4.0","8.4.0.4","curl","2023A0000038039","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254962 +https://github.com/NixOS/nixpkgs/pull/254963 +https://github.com/NixOS/nixpkgs/pull/260378" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-37769","https://nvd.nist.gov/vuln/detail/CVE-2023-37769","pixman","6.5","0.42.2","0.42.2","0.42.2","pixman","2023A0000037769","False","See: https://gitlab.freedesktop.org/pixman/pixman/-/issues/76: ""This somehow got assigned CVE-2023-37769, not sure why NVD keeps assigning CVEs like this. This is just a test executable"".","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-35945","https://nvd.nist.gov/vuln/detail/CVE-2023-35945","nghttp2","7.5","1.51.0","1.57.0","1.58.0","nghttp2","2023A0000035945","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/219712 +https://github.com/NixOS/nixpkgs/pull/246068 +https://github.com/NixOS/nixpkgs/pull/265047" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-31975","https://nvd.nist.gov/vuln/detail/CVE-2023-31975","yasm","3.3","1.3.0","","","","2023A0000031975","True","Memory leak in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-31974","https://nvd.nist.gov/vuln/detail/CVE-2023-31974","yasm","5.5","1.3.0","","","","2023A0000031974","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-31973","https://nvd.nist.gov/vuln/detail/CVE-2023-31973","yasm","5.5","1.3.0","","","","2023A0000031973","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-31972","https://nvd.nist.gov/vuln/detail/CVE-2023-31972","yasm","5.5","1.3.0","","","","2023A0000031972","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-31486","https://nvd.nist.gov/vuln/detail/CVE-2023-31486","perl","8.1","5.36.0-env","","","","2023A0000031486","True","Fixed upstream with https://github.com/chansen/p5-http-tiny/pull/153 and nixpkgs patched the issue already in 08/2022 with https://github.com/NixOS/nixpkgs/pull/187480.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-31486","https://nvd.nist.gov/vuln/detail/CVE-2023-31486","perl","8.1","5.36.0","","","","2023A0000031486","True","Fixed upstream with https://github.com/chansen/p5-http-tiny/pull/153 and nixpkgs patched the issue already in 08/2022 with https://github.com/NixOS/nixpkgs/pull/187480.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-31484","https://nvd.nist.gov/vuln/detail/CVE-2023-31484","perl","8.1","5.36.0-env","5.38.0","5.38.0","perl","2023A0000031484","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/241848 +https://github.com/NixOS/nixpkgs/pull/247547 +https://github.com/NixOS/nixpkgs/pull/256402" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-31484","https://nvd.nist.gov/vuln/detail/CVE-2023-31484","perl","8.1","5.36.0","5.38.0","5.38.0","perl","2023A0000031484","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/241848 +https://github.com/NixOS/nixpkgs/pull/247547 +https://github.com/NixOS/nixpkgs/pull/256402" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-30571","https://nvd.nist.gov/vuln/detail/CVE-2023-30571","libarchive","5.3","3.6.2","3.7.2","3.7.2","libarchive","2023A0000030571","False","No upstream fix available, see: https://github.com/libarchive/libarchive/issues/1876.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/244713 +https://github.com/NixOS/nixpkgs/pull/256930" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-30402","https://nvd.nist.gov/vuln/detail/CVE-2023-30402","yasm","5.5","1.3.0","","","","2023A0000030402","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-29409","https://nvd.nist.gov/vuln/detail/CVE-2023-29409","go","5.3","1.17.13-linux-amd64-bootstrap","1.21.3","1.21.4","go","2023A0000029409","False","See: https://github.com/golang/go/issues/61580, fixed by update to go 1.20.7: nixpkgs PR https://github.com/NixOS/nixpkgs/pull/246663.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/247034 +https://github.com/NixOS/nixpkgs/pull/259329 +https://github.com/NixOS/nixpkgs/pull/266176" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-29406","https://nvd.nist.gov/vuln/detail/CVE-2023-29406","go","6.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000029406","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-29405","https://nvd.nist.gov/vuln/detail/CVE-2023-29405","go","9.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029405","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-29404","https://nvd.nist.gov/vuln/detail/CVE-2023-29404","go","9.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029404","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-29403","https://nvd.nist.gov/vuln/detail/CVE-2023-29403","go","7.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029403","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-29402","https://nvd.nist.gov/vuln/detail/CVE-2023-29402","go","9.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029402","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-29400","https://nvd.nist.gov/vuln/detail/CVE-2023-29400","go","7.3","1.17.13-linux-amd64-bootstrap","","","","2023A0000029400","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","3.3","4.13","4.14.0","4.14.2","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254143 +https://github.com/NixOS/nixpkgs/pull/259826" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-28115","https://nvd.nist.gov/vuln/detail/CVE-2023-28115","snappy","9.8","1.1.10","","","","2023A0000028115","True","Incorrect package: Issue concerns snappy php library: https://github.com/KnpLabs/snappy, whereas, nixpkgs ""snappy"" refers snappy compression library: https://google.github.io/snappy/. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-25588","https://nvd.nist.gov/vuln/detail/CVE-2023-25588","binutils","5.5","2.40","2.40","2.41","binutils","2023A0000025588","False","","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-25586","https://nvd.nist.gov/vuln/detail/CVE-2023-25586","binutils","5.5","2.40","2.40","2.41","binutils","2023A0000025586","False","","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-25585","https://nvd.nist.gov/vuln/detail/CVE-2023-25585","binutils","5.5","2.40","2.40","2.41","binutils","2023A0000025585","False","","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-25584","https://nvd.nist.gov/vuln/detail/CVE-2023-25584","binutils","7.1","2.40","2.40","2.41","binutils","2023A0000025584","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-24540","https://nvd.nist.gov/vuln/detail/CVE-2023-24540","go","9.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000024540","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-24539","https://nvd.nist.gov/vuln/detail/CVE-2023-24539","go","7.3","1.17.13-linux-amd64-bootstrap","","","","2023A0000024539","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-24538","https://nvd.nist.gov/vuln/detail/CVE-2023-24538","go","9.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000024538","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-24537","https://nvd.nist.gov/vuln/detail/CVE-2023-24537","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000024537","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-24536","https://nvd.nist.gov/vuln/detail/CVE-2023-24536","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000024536","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-24534","https://nvd.nist.gov/vuln/detail/CVE-2023-24534","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000024534","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-24532","https://nvd.nist.gov/vuln/detail/CVE-2023-24532","go","5.3","1.17.13-linux-amd64-bootstrap","","","","2023A0000024532","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-5752","https://nvd.nist.gov/vuln/detail/CVE-2023-5752","pip","3.3","23.0.1-source","23.2.1","23.3.1","pip","2023A0000005752","False","","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-5535","https://nvd.nist.gov/vuln/detail/CVE-2023-5535","vim","7.8","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000005535","False","","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-5441","https://nvd.nist.gov/vuln/detail/CVE-2023-5441","vim","5.5","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000005441","False","","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-5344","https://nvd.nist.gov/vuln/detail/CVE-2023-5344","vim","7.5","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000005344","False","","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-5156","https://nvd.nist.gov/vuln/detail/CVE-2023-5156","glibc","7.5","2.37-8","","","","2023A0000005156","False","","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-4863","https://nvd.nist.gov/vuln/detail/CVE-2023-4863","libwebp","8.8","1.3.1","1.3.2","1.3.2","libwebp","2023A0000004863","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/255339 +https://github.com/NixOS/nixpkgs/pull/255786 +https://github.com/NixOS/nixpkgs/pull/255959 +https://github.com/NixOS/nixpkgs/pull/258217 +https://github.com/NixOS/nixpkgs/pull/258430" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-4807","https://nvd.nist.gov/vuln/detail/CVE-2023-4807","openssl","7.8","3.0.10","3.0.11","3.1.4","openssl","2023A0000004807","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254106 +https://github.com/NixOS/nixpkgs/pull/254185 +https://github.com/NixOS/nixpkgs/pull/254574 +https://github.com/NixOS/nixpkgs/pull/256127 +https://github.com/NixOS/nixpkgs/pull/265619" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-4781","https://nvd.nist.gov/vuln/detail/CVE-2023-4781","vim","7.8","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000004781","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-4752","https://nvd.nist.gov/vuln/detail/CVE-2023-4752","vim","7.8","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000004752","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-4750","https://nvd.nist.gov/vuln/detail/CVE-2023-4750","vim","7.8","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000004750","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-4738","https://nvd.nist.gov/vuln/detail/CVE-2023-4738","vim","7.8","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000004738","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-4736","https://nvd.nist.gov/vuln/detail/CVE-2023-4736","vim","7.8","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000004736","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-4735","https://nvd.nist.gov/vuln/detail/CVE-2023-4735","vim","7.8","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000004735","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-4734","https://nvd.nist.gov/vuln/detail/CVE-2023-4734","vim","7.8","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000004734","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-4733","https://nvd.nist.gov/vuln/detail/CVE-2023-4733","vim","7.8","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000004733","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-4527","https://nvd.nist.gov/vuln/detail/CVE-2023-4527","glibc","6.5","2.37-8","","","","2023A0000004527","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/256887" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-4504","https://nvd.nist.gov/vuln/detail/CVE-2023-4504","cups","7.8","2.4.6","2.4.7","2.4.7","cups","2023A0000004504","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/256378 +https://github.com/NixOS/nixpkgs/pull/257637" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-4236","https://nvd.nist.gov/vuln/detail/CVE-2023-4236","bind","7.5","9.18.16","9.18.19","9.18.19","bind","2023A0000004236","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/256396 +https://github.com/NixOS/nixpkgs/pull/256469" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-4135","https://nvd.nist.gov/vuln/detail/CVE-2023-4135","qemu","6.5","8.0.4","8.1.2","8.1.2","qemu","2023A0000004135","False","Fixed upstream in 8.1.0.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/261753" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-4039","https://nvd.nist.gov/vuln/detail/CVE-2023-4039","gcc","4.8","12.2.0","12.3.0","13.2.0","gcc","2023A0000004039","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-4016","https://nvd.nist.gov/vuln/detail/CVE-2023-4016","procps","5.5","3.3.17","","","","2023A0000004016","False","See: https://gitlab.com/procps-ng/procps/-/issues/297. Notice: repology package name is procps-ng: https://repology.org/project/procps-ng/versions.","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/256065 +https://github.com/NixOS/nixpkgs/pull/256150 +https://github.com/NixOS/nixpkgs/pull/264266" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-3603","https://nvd.nist.gov/vuln/detail/CVE-2023-3603","libssh","6.5","0.10.5","","","","2023A0000003603","True","Based on https://security-tracker.debian.org/tracker/CVE-2023-3603 and https://bugzilla.redhat.com/show_bug.cgi?id=2221791, vulnerable code is not present in 0.10.5 or any currently released version.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-3354","https://nvd.nist.gov/vuln/detail/CVE-2023-3354","qemu","7.5","8.0.4","8.1.2","8.1.2","qemu","2023A0000003354","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/248659 +https://github.com/NixOS/nixpkgs/pull/261753" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-3341","https://nvd.nist.gov/vuln/detail/CVE-2023-3341","bind","7.5","9.18.16","9.18.19","9.18.19","bind","2023A0000003341","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/256396 +https://github.com/NixOS/nixpkgs/pull/256469" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-3180","https://nvd.nist.gov/vuln/detail/CVE-2023-3180","qemu","6.5","8.0.4","8.1.2","8.1.2","qemu","2023A0000003180","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/248659 +https://github.com/NixOS/nixpkgs/pull/261753" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-3019","https://nvd.nist.gov/vuln/detail/CVE-2023-3019","qemu","6.5","8.0.4","8.1.2","8.1.2","qemu","2023A0000003019","False","Revisit when fixed upstream: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-2680","https://nvd.nist.gov/vuln/detail/CVE-2023-2680","qemu","8.2","8.0.4","8.1.2","8.1.2","qemu","2023A0000002680","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-2610","https://nvd.nist.gov/vuln/detail/CVE-2023-2610","vim","7.8","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000002610","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-2609","https://nvd.nist.gov/vuln/detail/CVE-2023-2609","vim","5.5","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000002609","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-2426","https://nvd.nist.gov/vuln/detail/CVE-2023-2426","vim","5.5","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000002426","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2023-1386","https://nvd.nist.gov/vuln/detail/CVE-2023-1386","qemu","7.8","8.0.4","8.1.2","8.1.2","qemu","2023A0000001386","False","Revisit when fixed upstream: https://github.com/v9fs/linux/issues/29.","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2023-877","https://osv.dev/OSV-2023-877","libbpf","","1.2.0","1.2.2","1.2.2","libbpf","2023A0000000877","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2023-505","https://osv.dev/OSV-2023-505","file","","5.44","5.45","5.45","file","2023A0000000505","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2023-390","https://osv.dev/OSV-2023-390","qemu","","8.0.4","8.1.2","8.1.2","qemu","2023A0000000390","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2023-137","https://osv.dev/OSV-2023-137","harfbuzz","","7.2.0","","","","2023A0000000137","True","Based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56510#c2, the issue is fixed in range https://github.com/harfbuzz/harfbuzz/compare/67e01c1292821e7b6fc2ab13acddb84ab41b2187...60841e26187576bff477c1a09ee2ffe544844abc all of which have been merged in 7.1.0.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-48434","https://nvd.nist.gov/vuln/detail/CVE-2022-48434","ffmpeg","8.1","4.4.4","","","","2022A0000048434","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.3 https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-43357","https://nvd.nist.gov/vuln/detail/CVE-2022-43357","sassc","7.5","3.6.2","3.6.2","3.6.2","sassc","2022A0000043357","False","","fix_not_available","https://github.com/NixOS/nixpkgs/pull/264177" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","PYSEC-2022-42969","https://osv.dev/PYSEC-2022-42969","py","","1.11.0","","","","2022A0000042969","True","Same as CVE-2022-42969.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-42969","https://nvd.nist.gov/vuln/detail/CVE-2022-42969","py","7.5","1.11.0","","","","2022A0000042969","True","Disputed upstream: https://github.com/pytest-dev/py/issues/287#issuecomment-1283567565.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-41725","https://nvd.nist.gov/vuln/detail/CVE-2022-41725","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2022A0000041725","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-41724","https://nvd.nist.gov/vuln/detail/CVE-2022-41724","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2022A0000041724","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-41723","https://nvd.nist.gov/vuln/detail/CVE-2022-41723","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2022A0000041723","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-41722","https://nvd.nist.gov/vuln/detail/CVE-2022-41722","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2022A0000041722","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-41720","https://nvd.nist.gov/vuln/detail/CVE-2022-41720","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2022A0000041720","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-41717","https://nvd.nist.gov/vuln/detail/CVE-2022-41717","go","5.3","1.17.13-linux-amd64-bootstrap","","","","2022A0000041717","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-41716","https://nvd.nist.gov/vuln/detail/CVE-2022-41716","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2022A0000041716","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-41715","https://nvd.nist.gov/vuln/detail/CVE-2022-41715","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2022A0000041715","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-38663","https://nvd.nist.gov/vuln/detail/CVE-2022-38663","git","6.5","2.40.1","","","","2022A0000038663","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-37416","https://nvd.nist.gov/vuln/detail/CVE-2022-37416","libmpeg2","6.5","0.5.1","","","","2022A0000037416","True","NVD data issue: concerns Android only.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-36884","https://nvd.nist.gov/vuln/detail/CVE-2022-36884","git","5.3","2.40.1","","","","2022A0000036884","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-36883","https://nvd.nist.gov/vuln/detail/CVE-2022-36883","git","7.5","2.40.1","","","","2022A0000036883","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-36882","https://nvd.nist.gov/vuln/detail/CVE-2022-36882","git","8.8","2.40.1","","","","2022A0000036882","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-36073","https://nvd.nist.gov/vuln/detail/CVE-2022-36073","rubygems","8.8","3.4.13","","","","2022A0000036073","True","Latest impacted version in 3.x is 3.0.4.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-30949","https://nvd.nist.gov/vuln/detail/CVE-2022-30949","git","5.3","2.40.1","","","","2022A0000030949","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-30947","https://nvd.nist.gov/vuln/detail/CVE-2022-30947","git","7.5","2.40.1","","","","2022A0000030947","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-28321","https://nvd.nist.gov/vuln/detail/CVE-2022-28321","linux-pam","9.8","1.5.2","","","","2022A0000028321","True","Only impacts SUSE-specific patch version. Notice: repology package name is pam: https://repology.org/project/pam/versions.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-27664","https://nvd.nist.gov/vuln/detail/CVE-2022-27664","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2022A0000027664","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-26691","https://nvd.nist.gov/vuln/detail/CVE-2022-26691","cups","6.7","2.4.6","","","","2022A0000026691","True","Fixed in nixpkgs with PR: https://github.com/NixOS/nixpkgs/pull/174898.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-26592","https://nvd.nist.gov/vuln/detail/CVE-2022-26592","libsass","8.8","3.6.5","","","","2022A0000026592","True","Pending upstream fix: https://github.com/sass/libsass/issues/3174.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","MAL-2022-4301","https://osv.dev/MAL-2022-4301","libidn2","","2.3.4","","","","2022A0000004301","True","Incorrect package: Issue refers npm libidn2, whereas, nixpkgs refers libidn2 https://gitlab.com/libidn/libidn2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-3965","https://nvd.nist.gov/vuln/detail/CVE-2022-3965","ffmpeg","8.1","5.1.3","","","","2022A0000003965","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 5.1.x is merged in 5.1.3 https://github.com/FFmpeg/FFmpeg/commit/7c234248f859baa35e55c3dbbb7a359eae1c5257.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-3964","https://nvd.nist.gov/vuln/detail/CVE-2022-3964","ffmpeg","8.1","5.1.3","","","","2022A0000003964","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/ad28b01a141703b831256b712e0613281b15fcf0.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-3964","https://nvd.nist.gov/vuln/detail/CVE-2022-3964","ffmpeg","8.1","4.4.4","","","","2022A0000003964","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/ad28b01a141703b831256b712e0613281b15fcf0.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-3341","https://nvd.nist.gov/vuln/detail/CVE-2022-3341","ffmpeg","5.3","4.4.4","","","","2022A0000003341","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/c513bd48039a718dabf6d7a829efb6732693c04b.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-3219","https://nvd.nist.gov/vuln/detail/CVE-2022-3219","gnupg","3.3","2.4.0","","","","2022A0000003219","True","Fix patch is not accepted upstream: https://dev.gnupg.org/D556.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-3109","https://nvd.nist.gov/vuln/detail/CVE-2022-3109","ffmpeg","7.5","4.4.4","","","","2022A0000003109","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/4d82b7bac42c9d35d4f9f145a85e6cbc1fe914f2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-2880","https://nvd.nist.gov/vuln/detail/CVE-2022-2880","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2022A0000002880","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-2879","https://nvd.nist.gov/vuln/detail/CVE-2022-2879","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2022A0000002879","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2022-1193","https://osv.dev/OSV-2022-1193","libarchive","","3.6.2","","","","2022A0000001193","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53594#c3.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2022-908","https://osv.dev/OSV-2022-908","bluez","","5.66","5.66","5.70","bluez","2022A0000000908","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2022-896","https://osv.dev/OSV-2022-896","libsass","","3.6.5","3.6.5","3.6.5","libsass","2022A0000000896","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2022-859","https://osv.dev/OSV-2022-859","bluez","","5.66","5.66","5.70","bluez","2022A0000000859","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2022-0856","https://nvd.nist.gov/vuln/detail/CVE-2022-0856","libcaca","6.5","0.99.beta20","","","","2022A0000000856","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2022-842","https://osv.dev/OSV-2022-842","wolfssl","","5.5.4","","","","2022A0000000842","False","Unclear if this is still valid.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2022-725","https://osv.dev/OSV-2022-725","libjxl","","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000725","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2022-608","https://osv.dev/OSV-2022-608","libjxl","","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000608","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2022-581","https://osv.dev/OSV-2022-581","qemu","","8.0.4","8.1.2","8.1.2","qemu","2022A0000000581","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2022-530","https://osv.dev/OSV-2022-530","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2022A0000000530","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2022-519","https://osv.dev/OSV-2022-519","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2022A0000000519","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2022-462","https://osv.dev/OSV-2022-462","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2022A0000000462","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2022-416","https://osv.dev/OSV-2022-416","openjpeg","","2.5.0","","","","2022A0000000416","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47500#c2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2022-394","https://osv.dev/OSV-2022-394","opencv","","4.7.0","4.7.0","4.8.1","opencv","2022A0000000394","False","No attention from upstream: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47190.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2022-193","https://osv.dev/OSV-2022-193","w3m","","0.5.3+git20230121","0.5.3+git20230121","0.5.3+git20230121","w3m","2022A0000000193","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2022-183","https://osv.dev/OSV-2022-183","binutils","","2.40","","","","2022A0000000183","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44864#c2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","GHSA-mc7w-4cjf-c973","https://osv.dev/GHSA-mc7w-4cjf-c973","opencv","","4.7.0","","","","2021A1633564800","True","Incorrect package: Issue refers node-opencv, whereas, nixpkgs refers opencv https://github.com/opencv/opencv.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-46312","https://nvd.nist.gov/vuln/detail/CVE-2021-46312","djvulibre","6.5","3.5.28","3.5.28","3.5.28","djvulibre","2021A0000046312","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-46310","https://nvd.nist.gov/vuln/detail/CVE-2021-46310","djvulibre","6.5","3.5.28","3.5.28","3.5.28","djvulibre","2021A0000046310","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-39205","https://nvd.nist.gov/vuln/detail/CVE-2021-39205","jitsi-meet","6.1","1.0.6943","","","","2021A0000039205","True","Does not impact the version in nixpkgs as mentioned in https://github.com/NixOS/nixpkgs/issues/142979#issuecomment-964291845.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-33506","https://nvd.nist.gov/vuln/detail/CVE-2021-33506","jitsi-meet","7.5","1.0.6943","","","","2021A0000033506","True","Fixed in nixpkgs as mentioned in https://github.com/NixOS/nixpkgs/issues/132134#issuecomment-890319135.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-33468","https://nvd.nist.gov/vuln/detail/CVE-2021-33468","yasm","5.5","1.3.0","","","","2021A0000033468","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-33467","https://nvd.nist.gov/vuln/detail/CVE-2021-33467","yasm","5.5","1.3.0","","","","2021A0000033467","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-33466","https://nvd.nist.gov/vuln/detail/CVE-2021-33466","yasm","5.5","1.3.0","","","","2021A0000033466","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-33465","https://nvd.nist.gov/vuln/detail/CVE-2021-33465","yasm","5.5","1.3.0","","","","2021A0000033465","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-33464","https://nvd.nist.gov/vuln/detail/CVE-2021-33464","yasm","5.5","1.3.0","","","","2021A0000033464","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-33463","https://nvd.nist.gov/vuln/detail/CVE-2021-33463","yasm","5.5","1.3.0","","","","2021A0000033463","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-33462","https://nvd.nist.gov/vuln/detail/CVE-2021-33462","yasm","5.5","1.3.0","","","","2021A0000033462","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-33461","https://nvd.nist.gov/vuln/detail/CVE-2021-33461","yasm","5.5","1.3.0","","","","2021A0000033461","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-33460","https://nvd.nist.gov/vuln/detail/CVE-2021-33460","yasm","5.5","1.3.0","","","","2021A0000033460","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-33459","https://nvd.nist.gov/vuln/detail/CVE-2021-33459","yasm","5.5","1.3.0","","","","2021A0000033459","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-33458","https://nvd.nist.gov/vuln/detail/CVE-2021-33458","yasm","5.5","1.3.0","","","","2021A0000033458","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-33457","https://nvd.nist.gov/vuln/detail/CVE-2021-33457","yasm","5.5","1.3.0","","","","2021A0000033457","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-33456","https://nvd.nist.gov/vuln/detail/CVE-2021-33456","yasm","5.5","1.3.0","","","","2021A0000033456","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-33455","https://nvd.nist.gov/vuln/detail/CVE-2021-33455","yasm","5.5","1.3.0","","","","2021A0000033455","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-33454","https://nvd.nist.gov/vuln/detail/CVE-2021-33454","yasm","5.5","1.3.0","","","","2021A0000033454","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-30499","https://nvd.nist.gov/vuln/detail/CVE-2021-30499","libcaca","7.8","0.99.beta20","","","","2021A0000030499","True","NVD data issue: CPE entry does not correctly state the version numbers. Issue is fixed in v0.99.beta20: https://github.com/cacalabs/libcaca/releases/tag/v0.99.beta20.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-26945","https://nvd.nist.gov/vuln/detail/CVE-2021-26945","openexr","5.5","2.5.8","","","","2021A0000026945","True","Fix patch https://github.com/AcademySoftwareFoundation/openexr/pull/930/commits/b73ec53bd24ba116d7bf48ebdc868301c596706e modifies a file that is not available in openexr 2. Thus, the fix doesn't apply to 2.5.8.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-26720","https://nvd.nist.gov/vuln/detail/CVE-2021-26720","avahi","7.8","0.8","","","","2021A0000026720","True","False positive: issue refers avahi-daemon-check-dns.sh in the Debian avahi package. As such, the issue is specific to Debian and its derivatives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-26260","https://nvd.nist.gov/vuln/detail/CVE-2021-26260","openexr","5.5","2.5.8","","","","2021A0000026260","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d which went to 2.5.5.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-23215","https://nvd.nist.gov/vuln/detail/CVE-2021-23215","openexr","5.5","2.5.8","","","","2021A0000023215","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d which went to 2.5.5.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-23169","https://nvd.nist.gov/vuln/detail/CVE-2021-23169","openexr","8.8","2.5.8","","","","2021A0000023169","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-21684","https://nvd.nist.gov/vuln/detail/CVE-2021-21684","git","6.1","2.40.1","","","","2021A0000021684","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-20255","https://nvd.nist.gov/vuln/detail/CVE-2021-20255","qemu","5.5","8.0.4","","","","2021A0000020255","True","Upstream patch not merged: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html. No point fixing this in nixpkgs as long as it is not fixed upstream.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-4336","https://nvd.nist.gov/vuln/detail/CVE-2021-4336","ninja","9.8","1.11.1","","","","2021A0000004336","True","Incorrect package: nixpkgs 'ninja' refers https://github.com/ninja-build/ninja, not https://github.com/ITRS-Group/monitor-ninja.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-4217","https://nvd.nist.gov/vuln/detail/CVE-2021-4217","unzip","3.3","6.0","","","","2021A0000004217","True","Ignored by other distribution as 'no security impact', e.g. Debian: https://security-tracker.debian.org/tracker/CVE-2021-4217.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-3605","https://nvd.nist.gov/vuln/detail/CVE-2021-3605","openexr","5.5","2.5.8","","","","2021A0000003605","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2021-3598","https://nvd.nist.gov/vuln/detail/CVE-2021-3598","openexr","5.5","2.5.8","","","","2021A0000003598","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2021-1157","https://osv.dev/OSV-2021-1157","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001157","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2021-1141","https://osv.dev/OSV-2021-1141","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001141","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2021-1110","https://osv.dev/OSV-2021-1110","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001110","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2021-1041","https://osv.dev/OSV-2021-1041","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001041","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2021-1024","https://osv.dev/OSV-2021-1024","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001024","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2021-820","https://osv.dev/OSV-2021-820","qemu","","8.0.4","","","","2021A0000000820","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34831#c2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2021-802","https://osv.dev/OSV-2021-802","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000000802","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2021-787","https://osv.dev/OSV-2021-787","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000000787","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2021-777","https://osv.dev/OSV-2021-777","libxml2","","2.10.4","","","","2021A0000000777","True","Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325, which went to 2.9.13. Therefore, this issue is fixed in 2.10.4.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2021-765","https://osv.dev/OSV-2021-765","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000000765","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2021-508","https://osv.dev/OSV-2021-508","libsass","","3.6.5","3.6.5","3.6.5","libsass","2021A0000000508","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","GHSA-f698-m2v9-5fh3","https://osv.dev/GHSA-f698-m2v9-5fh3","opencv","","4.7.0","","","","2020A1598832000","True","Incorrect package: issue refers node-opencv https://www.npmjs.com/package/opencv, whereas nixpkgs refers https://github.com/opencv/opencv.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2020-24490","https://nvd.nist.gov/vuln/detail/CVE-2020-24490","bluez","6.5","5.66","","","","2020A0000024490","True","Fixed in linux kernel (5.8) with: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=a2ec905d1e160a33b2e210e45ad30445ef26ce0e.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2020-18781","https://nvd.nist.gov/vuln/detail/CVE-2020-18781","audiofile","5.5","0.3.6","0.3.6","0.3.6","audiofile","2020A0000018781","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2020-16194","https://nvd.nist.gov/vuln/detail/CVE-2020-16194","quote","5.3","1.0.21","","","","2020A0000016194","True","Incorrect package: Issue concerns prestashop product: https://prestashop.com/, whereas, nixpkgs ""quote"" refers rust package 'quote': https://docs.rs/quote/latest/quote/.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2020-16194","https://nvd.nist.gov/vuln/detail/CVE-2020-16194","quote","5.3","1.0.20","","","","2020A0000016194","True","Incorrect package: Issue concerns prestashop product: https://prestashop.com/, whereas, nixpkgs ""quote"" refers rust package 'quote': https://docs.rs/quote/latest/quote/.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2020-2136","https://nvd.nist.gov/vuln/detail/CVE-2020-2136","git","5.4","2.40.1","2.42.0","2.42.1","git","2020A0000002136","False","","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/82872 +https://github.com/NixOS/nixpkgs/pull/84664" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2020-1610","https://osv.dev/OSV-2020-1610","openexr","","2.5.8","3.2.0","3.2.1","openexr","2020A0000001610","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2020-1420","https://osv.dev/OSV-2020-1420","libsass","","3.6.5","3.6.5","3.6.5","libsass","2020A0000001420","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2020-862","https://osv.dev/OSV-2020-862","libsass","","3.6.5","3.6.5","3.6.5","libsass","2020A0000000862","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2020-822","https://osv.dev/OSV-2020-822","jbig2dec","","0.19","0.19","0.20","jbig2dec","2020A0000000822","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2020-521","https://osv.dev/OSV-2020-521","aspell","","0.60.8","0.60.8","0.60.8","aspell","2020A0000000521","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2020-438","https://osv.dev/OSV-2020-438","capstone","","4.0.2","4.0.2","5.0.1","capstone","2020A0000000438","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","OSV-2020-438","https://osv.dev/OSV-2020-438","capstone","","4.0.2","4.0.2","5.0.1","python:capstone","2020A0000000438","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-1003010","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010","git","4.3","2.40.1","","","","2019A0001003010","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-20633","https://nvd.nist.gov/vuln/detail/CVE-2019-20633","patch","5.5","2.7.6","","","","2019A0000020633","True","Upstream patch is not merged: https://savannah.gnu.org/bugs/index.php?56683. Not sure why this isn't fixed upstream. No point fixing this in nixpkgs as long as it is not fixed upstream.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","6.5","3.11.0","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","6.5","2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","6.5","2.9.9","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","6.5","3.11.0","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","6.5","2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","6.5","2.9.9","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-14587","https://nvd.nist.gov/vuln/detail/CVE-2019-14587","edk2","6.5","202211","","","","2019A0000014587","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-14586","https://nvd.nist.gov/vuln/detail/CVE-2019-14586","edk2","8","202211","","","","2019A0000014586","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-14575","https://nvd.nist.gov/vuln/detail/CVE-2019-14575","edk2","7.8","202211","","","","2019A0000014575","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-14563","https://nvd.nist.gov/vuln/detail/CVE-2019-14563","edk2","7.8","202211","","","","2019A0000014563","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-14562","https://nvd.nist.gov/vuln/detail/CVE-2019-14562","edk2","5.5","202211","","","","2019A0000014562","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-14559","https://nvd.nist.gov/vuln/detail/CVE-2019-14559","edk2","7.5","202211","","","","2019A0000014559","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-14553","https://nvd.nist.gov/vuln/detail/CVE-2019-14553","edk2","4.9","202211","","","","2019A0000014553","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-12749","https://nvd.nist.gov/vuln/detail/CVE-2019-12749","dbus","7.1","1","","","","2019A0000012749","True","Fixed with https://github.com/NixOS/nixpkgs/pull/63021 (dbus version '1' in nixpkgs currently refers 1.14.8).","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-12067","https://nvd.nist.gov/vuln/detail/CVE-2019-12067","qemu","6.5","8.0.4","","","","2019A0000012067","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-6470","https://nvd.nist.gov/vuln/detail/CVE-2019-6470","bind","7.5","9.18.16","","","","2019A0000006470","True","Not valid: https://github.com/NixOS/nixpkgs/issues/73617#issuecomment-569491606.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-6462","https://nvd.nist.gov/vuln/detail/CVE-2019-6462","cairo","6.5","1.16.0","","","","2019A0000006462","True","Not a valid: https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-6461","https://nvd.nist.gov/vuln/detail/CVE-2019-6461","cairo","6.5","1.16.0","","","","2019A0000006461","True","Not valid: https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2019-6293","https://nvd.nist.gov/vuln/detail/CVE-2019-6293","flex","5.5","2.6.4","","","","2019A0000006293","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2018-1000182","https://nvd.nist.gov/vuln/detail/CVE-2018-1000182","git","6.4","2.40.1","","","","2018A0001000182","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2018-1000110","https://nvd.nist.gov/vuln/detail/CVE-2018-1000110","git","5.3","2.40.1","","","","2018A0001000110","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2018-18438","https://nvd.nist.gov/vuln/detail/CVE-2018-18438","qemu","5.5","8.0.4","","","","2018A0000018438","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2018-13410","https://nvd.nist.gov/vuln/detail/CVE-2018-13410","zip","9.8","3.0","","","","2018A0000013410","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2018-7263","https://nvd.nist.gov/vuln/detail/CVE-2018-7263","libmad","9.8","0.15.1b","","","","2018A0000007263","True","Based on https://github.com/NixOS/nixpkgs/issues/57154, issue is fixed by https://github.com/NixOS/nixpkgs/commit/92edb0610923fab5a9dcc59b94652f1e8a5ea1ed.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2018-6553","https://nvd.nist.gov/vuln/detail/CVE-2018-6553","cups","8.8","2.4.6","","","","2018A0000006553","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2017-5628","https://nvd.nist.gov/vuln/detail/CVE-2017-5628","mujs","7.8","1.3.3","","","","2017A0000005628","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2017-5627","https://nvd.nist.gov/vuln/detail/CVE-2017-5627","mujs","7.8","1.3.3","","","","2017A0000005627","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2017-5436","https://nvd.nist.gov/vuln/detail/CVE-2017-5436","graphite2","8.8","1.3.14","","","","2017A0000005436","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-10141","https://nvd.nist.gov/vuln/detail/CVE-2016-10141","mujs","9.8","1.3.3","","","","2016A0000010141","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-10133","https://nvd.nist.gov/vuln/detail/CVE-2016-10133","mujs","9.8","1.3.3","","","","2016A0000010133","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-10132","https://nvd.nist.gov/vuln/detail/CVE-2016-10132","mujs","7.5","1.3.3","","","","2016A0000010132","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-9294","https://nvd.nist.gov/vuln/detail/CVE-2016-9294","mujs","7.5","1.3.3","","","","2016A0000009294","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-9136","https://nvd.nist.gov/vuln/detail/CVE-2016-9136","mujs","7.5","1.3.3","","","","2016A0000009136","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-9109","https://nvd.nist.gov/vuln/detail/CVE-2016-9109","mujs","7.5","1.3.3","","","","2016A0000009109","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-9108","https://nvd.nist.gov/vuln/detail/CVE-2016-9108","mujs","7.5","1.3.3","","","","2016A0000009108","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-9017","https://nvd.nist.gov/vuln/detail/CVE-2016-9017","mujs","7.5","1.3.3","","","","2016A0000009017","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-7564","https://nvd.nist.gov/vuln/detail/CVE-2016-7564","mujs","7.5","1.3.3","","","","2016A0000007564","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-7563","https://nvd.nist.gov/vuln/detail/CVE-2016-7563","mujs","7.5","1.3.3","","","","2016A0000007563","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-7506","https://nvd.nist.gov/vuln/detail/CVE-2016-7506","mujs","7.5","1.3.3","","","","2016A0000007506","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-7504","https://nvd.nist.gov/vuln/detail/CVE-2016-7504","mujs","9.8","1.3.3","","","","2016A0000007504","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-6131","https://nvd.nist.gov/vuln/detail/CVE-2016-6131","libiberty","7.5","12.2.0","","","","2016A0000006131","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-4493","https://nvd.nist.gov/vuln/detail/CVE-2016-4493","libiberty","5.5","12.2.0","","","","2016A0000004493","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-4492","https://nvd.nist.gov/vuln/detail/CVE-2016-4492","libiberty","4.4","12.2.0","","","","2016A0000004492","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-4491","https://nvd.nist.gov/vuln/detail/CVE-2016-4491","libiberty","5.5","12.2.0","","","","2016A0000004491","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-4490","https://nvd.nist.gov/vuln/detail/CVE-2016-4490","libiberty","5.5","12.2.0","","","","2016A0000004490","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-4489","https://nvd.nist.gov/vuln/detail/CVE-2016-4489","libiberty","5.5","12.2.0","","","","2016A0000004489","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-4488","https://nvd.nist.gov/vuln/detail/CVE-2016-4488","libiberty","5.5","12.2.0","","","","2016A0000004488","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-4487","https://nvd.nist.gov/vuln/detail/CVE-2016-4487","libiberty","5.5","12.2.0","","","","2016A0000004487","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-2781","https://nvd.nist.gov/vuln/detail/CVE-2016-2781","coreutils","6.5","9.1","","","","2016A0000002781","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2016-2226","https://nvd.nist.gov/vuln/detail/CVE-2016-2226","libiberty","7.8","12.2.0","","","","2016A0000002226","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2015-7313","https://nvd.nist.gov/vuln/detail/CVE-2015-7313","libtiff","5.5","4.5.1","","","","2015A0000007313","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2014-9157","https://nvd.nist.gov/vuln/detail/CVE-2014-9157","graphviz","","7.1.0","","","","2014A0000009157","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2014-4860","https://nvd.nist.gov/vuln/detail/CVE-2014-4860","edk2","6.8","202211","","","","2014A0000004860","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2014-4859","https://nvd.nist.gov/vuln/detail/CVE-2014-4859","edk2","6.8","202211","","","","2014A0000004859","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2012-3509","https://nvd.nist.gov/vuln/detail/CVE-2012-3509","libiberty","","12.2.0","","","","2012A0000003509","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","current","CVE-2010-4226","https://nvd.nist.gov/vuln/detail/CVE-2010-4226","cpio","","2.14","","","","2010A0000004226","True","NVD data issue: concerns OpenSuSE, not cpio.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","GHSA-6898-wx94-8jq8","https://osv.dev/GHSA-6898-wx94-8jq8","libnotify","","0.8.2","","","","2023A1694131200","True","Incorrect package: Issue refers node-libnotify https://github.com/mytrile/node-libnotify, whereas nixpkgs refers gnome-libnotify https://gitlab.gnome.org/GNOME/libnotify.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","GHSA-wrrj-h57r-vx9p","https://osv.dev/GHSA-wrrj-h57r-vx9p","cargo","","1.69.0","","","","2023A1692835200","True","Duplicate to CVE-2023-40030.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","GHSA-w596-4wvx-j9j6","https://osv.dev/GHSA-w596-4wvx-j9j6","py","","1.11.0","1.11.0","1.11.0","python:py","2023A1691452800","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-46407","https://nvd.nist.gov/vuln/detail/CVE-2023-46407","ffmpeg","5.5","5.1.3","6.0","6.0","ffmpeg","2023A0000046407","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-46407","https://nvd.nist.gov/vuln/detail/CVE-2023-46407","ffmpeg","5.5","4.4.4","6.0","6.0","ffmpeg","2023A0000046407","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-46246","https://nvd.nist.gov/vuln/detail/CVE-2023-46246","vim","5.5","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000046246","False","","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-45853","https://nvd.nist.gov/vuln/detail/CVE-2023-45853","zlib","9.8","1.2.13","1.3","1.3","zlib","2023A0000045853","False","","fix_not_available","https://github.com/NixOS/nixpkgs/pull/262722 +https://github.com/NixOS/nixpkgs/pull/263083" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-45322","https://nvd.nist.gov/vuln/detail/CVE-2023-45322","libxml2","6.5","2.10.4","2.11.5","2.11.5","libxml2","2023A0000045322","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-44487","https://nvd.nist.gov/vuln/detail/CVE-2023-44487","nghttp2","7.5","1.51.0","1.57.0","1.58.0","nghttp2","2023A0000044487","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/259329 +https://github.com/NixOS/nixpkgs/pull/262022 +https://github.com/NixOS/nixpkgs/pull/262713 +https://github.com/NixOS/nixpkgs/pull/262718 +https://github.com/NixOS/nixpkgs/pull/262738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-44487","https://nvd.nist.gov/vuln/detail/CVE-2023-44487","go","7.5","1.20.8","1.21.3","1.21.4","go","2023A0000044487","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/259329 +https://github.com/NixOS/nixpkgs/pull/262022 +https://github.com/NixOS/nixpkgs/pull/262713 +https://github.com/NixOS/nixpkgs/pull/262718 +https://github.com/NixOS/nixpkgs/pull/262738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-44487","https://nvd.nist.gov/vuln/detail/CVE-2023-44487","go","7.5","1.17.13-linux-amd64-bootstrap","1.21.3","1.21.4","go","2023A0000044487","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/259329 +https://github.com/NixOS/nixpkgs/pull/262022 +https://github.com/NixOS/nixpkgs/pull/262713 +https://github.com/NixOS/nixpkgs/pull/262718 +https://github.com/NixOS/nixpkgs/pull/262738" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-41330","https://nvd.nist.gov/vuln/detail/CVE-2023-41330","snappy","9.8","1.1.10","","","","2023A0000041330","True","Incorrect package: Issue concerns snappy php library: https://github.com/KnpLabs/snappy, whereas, nixpkgs ""snappy"" refers snappy compression library: https://google.github.io/snappy/. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-41175","https://nvd.nist.gov/vuln/detail/CVE-2023-41175","libtiff","6.5","4.5.1","4.5.1","4.6.0","tiff","2023A0000041175","False","","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/261791 +https://github.com/NixOS/nixpkgs/pull/264613" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-40745","https://nvd.nist.gov/vuln/detail/CVE-2023-40745","libtiff","6.5","4.5.1","4.5.1","4.6.0","tiff","2023A0000040745","False","","fix_update_to_version_upstream","https://github.com/NixOS/nixpkgs/pull/261791 +https://github.com/NixOS/nixpkgs/pull/264613" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-39742","https://nvd.nist.gov/vuln/detail/CVE-2023-39742","giflib","5.5","5.2.1","5.2.1","5.2.1","giflib","2023A0000039742","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-39325","https://nvd.nist.gov/vuln/detail/CVE-2023-39325","go","7.5","1.20.8","1.21.3","1.21.4","go","2023A0000039325","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/259329 +https://github.com/NixOS/nixpkgs/pull/262713 +https://github.com/NixOS/nixpkgs/pull/266176" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-39323","https://nvd.nist.gov/vuln/detail/CVE-2023-39323","go","9.8","1.20.8","1.21.3","1.21.4","go","2023A0000039323","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/259329 +https://github.com/NixOS/nixpkgs/pull/266176" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-39323","https://nvd.nist.gov/vuln/detail/CVE-2023-39323","go","9.8","1.17.13-linux-amd64-bootstrap","1.21.3","1.21.4","go","2023A0000039323","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/259329 +https://github.com/NixOS/nixpkgs/pull/266176" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-39319","https://nvd.nist.gov/vuln/detail/CVE-2023-39319","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.3","1.21.4","go","2023A0000039319","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/259329 +https://github.com/NixOS/nixpkgs/pull/266176" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-39318","https://nvd.nist.gov/vuln/detail/CVE-2023-39318","go","6.1","1.17.13-linux-amd64-bootstrap","1.21.3","1.21.4","go","2023A0000039318","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/259329 +https://github.com/NixOS/nixpkgs/pull/266176" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-38858","https://nvd.nist.gov/vuln/detail/CVE-2023-38858","faad2","6.5","2.10.1","2.10.1","2.11.0","faad2","2023A0000038858","False","","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-38857","https://nvd.nist.gov/vuln/detail/CVE-2023-38857","faad2","5.5","2.10.1","2.10.1","2.11.0","faad2","2023A0000038857","False","","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-37769","https://nvd.nist.gov/vuln/detail/CVE-2023-37769","pixman","6.5","0.42.2","0.42.2","0.42.2","pixman","2023A0000037769","False","See: https://gitlab.freedesktop.org/pixman/pixman/-/issues/76: ""This somehow got assigned CVE-2023-37769, not sure why NVD keeps assigning CVEs like this. This is just a test executable"".","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-35945","https://nvd.nist.gov/vuln/detail/CVE-2023-35945","nghttp2","7.5","1.51.0","1.57.0","1.58.0","nghttp2","2023A0000035945","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/219712 +https://github.com/NixOS/nixpkgs/pull/246068 +https://github.com/NixOS/nixpkgs/pull/265047" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-31975","https://nvd.nist.gov/vuln/detail/CVE-2023-31975","yasm","3.3","1.3.0","","","","2023A0000031975","True","Memory leak in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-31974","https://nvd.nist.gov/vuln/detail/CVE-2023-31974","yasm","5.5","1.3.0","","","","2023A0000031974","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-31973","https://nvd.nist.gov/vuln/detail/CVE-2023-31973","yasm","5.5","1.3.0","","","","2023A0000031973","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-31972","https://nvd.nist.gov/vuln/detail/CVE-2023-31972","yasm","5.5","1.3.0","","","","2023A0000031972","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-31486","https://nvd.nist.gov/vuln/detail/CVE-2023-31486","perl","8.1","5.36.0-env","","","","2023A0000031486","True","Fixed upstream with https://github.com/chansen/p5-http-tiny/pull/153 and nixpkgs patched the issue already in 08/2022 with https://github.com/NixOS/nixpkgs/pull/187480.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-31486","https://nvd.nist.gov/vuln/detail/CVE-2023-31486","perl","8.1","5.36.0","","","","2023A0000031486","True","Fixed upstream with https://github.com/chansen/p5-http-tiny/pull/153 and nixpkgs patched the issue already in 08/2022 with https://github.com/NixOS/nixpkgs/pull/187480.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-31484","https://nvd.nist.gov/vuln/detail/CVE-2023-31484","perl","8.1","5.36.0-env","5.38.0","5.38.0","perl","2023A0000031484","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/241848 +https://github.com/NixOS/nixpkgs/pull/247547 +https://github.com/NixOS/nixpkgs/pull/256402" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-31484","https://nvd.nist.gov/vuln/detail/CVE-2023-31484","perl","8.1","5.36.0","5.38.0","5.38.0","perl","2023A0000031484","False","","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/241848 +https://github.com/NixOS/nixpkgs/pull/247547 +https://github.com/NixOS/nixpkgs/pull/256402" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-30571","https://nvd.nist.gov/vuln/detail/CVE-2023-30571","libarchive","5.3","3.6.2","3.7.2","3.7.2","libarchive","2023A0000030571","False","No upstream fix available, see: https://github.com/libarchive/libarchive/issues/1876.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/244713 +https://github.com/NixOS/nixpkgs/pull/256930" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-30402","https://nvd.nist.gov/vuln/detail/CVE-2023-30402","yasm","5.5","1.3.0","","","","2023A0000030402","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-29409","https://nvd.nist.gov/vuln/detail/CVE-2023-29409","go","5.3","1.17.13-linux-amd64-bootstrap","1.21.3","1.21.4","go","2023A0000029409","False","See: https://github.com/golang/go/issues/61580, fixed by update to go 1.20.7: nixpkgs PR https://github.com/NixOS/nixpkgs/pull/246663.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/247034 +https://github.com/NixOS/nixpkgs/pull/259329 +https://github.com/NixOS/nixpkgs/pull/266176" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-29406","https://nvd.nist.gov/vuln/detail/CVE-2023-29406","go","6.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000029406","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-29405","https://nvd.nist.gov/vuln/detail/CVE-2023-29405","go","9.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029405","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-29404","https://nvd.nist.gov/vuln/detail/CVE-2023-29404","go","9.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029404","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-29403","https://nvd.nist.gov/vuln/detail/CVE-2023-29403","go","7.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029403","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-29402","https://nvd.nist.gov/vuln/detail/CVE-2023-29402","go","9.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000029402","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-29400","https://nvd.nist.gov/vuln/detail/CVE-2023-29400","go","7.3","1.17.13-linux-amd64-bootstrap","","","","2023A0000029400","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-29383","https://nvd.nist.gov/vuln/detail/CVE-2023-29383","shadow","3.3","4.13","4.14.0","4.14.2","shadow","2023A0000029383","False","Pending merge for nixpkgs master PR: https://github.com/NixOS/nixpkgs/pull/233924. TODO: consider taking the upstream version update to 4.14 instead: https://github.com/shadow-maint/shadow/releases.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254143 +https://github.com/NixOS/nixpkgs/pull/259826" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-28322","https://nvd.nist.gov/vuln/detail/CVE-2023-28322","curl","3.7","0.4.44","","","","2023A0000028322","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/232531 +https://github.com/NixOS/nixpkgs/pull/232535" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-28321","https://nvd.nist.gov/vuln/detail/CVE-2023-28321","curl","5.9","0.4.44","","","","2023A0000028321","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/232531 +https://github.com/NixOS/nixpkgs/pull/232535" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-28320","https://nvd.nist.gov/vuln/detail/CVE-2023-28320","curl","5.9","0.4.44","","","","2023A0000028320","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/232531 +https://github.com/NixOS/nixpkgs/pull/232535" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-28319","https://nvd.nist.gov/vuln/detail/CVE-2023-28319","curl","7.5","0.4.44","","","","2023A0000028319","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/232531" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-28115","https://nvd.nist.gov/vuln/detail/CVE-2023-28115","snappy","9.8","1.1.10","","","","2023A0000028115","True","Incorrect package: Issue concerns snappy php library: https://github.com/KnpLabs/snappy, whereas, nixpkgs ""snappy"" refers snappy compression library: https://google.github.io/snappy/. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-25588","https://nvd.nist.gov/vuln/detail/CVE-2023-25588","binutils","5.5","2.40","2.40","2.41","binutils","2023A0000025588","False","","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-25586","https://nvd.nist.gov/vuln/detail/CVE-2023-25586","binutils","5.5","2.40","2.40","2.41","binutils","2023A0000025586","False","","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-25585","https://nvd.nist.gov/vuln/detail/CVE-2023-25585","binutils","5.5","2.40","2.40","2.41","binutils","2023A0000025585","False","","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-25584","https://nvd.nist.gov/vuln/detail/CVE-2023-25584","binutils","7.1","2.40","2.40","2.41","binutils","2023A0000025584","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-24540","https://nvd.nist.gov/vuln/detail/CVE-2023-24540","go","9.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000024540","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-24539","https://nvd.nist.gov/vuln/detail/CVE-2023-24539","go","7.3","1.17.13-linux-amd64-bootstrap","","","","2023A0000024539","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-24538","https://nvd.nist.gov/vuln/detail/CVE-2023-24538","go","9.8","1.17.13-linux-amd64-bootstrap","","","","2023A0000024538","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-24537","https://nvd.nist.gov/vuln/detail/CVE-2023-24537","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000024537","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-24536","https://nvd.nist.gov/vuln/detail/CVE-2023-24536","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000024536","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-24534","https://nvd.nist.gov/vuln/detail/CVE-2023-24534","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2023A0000024534","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-24532","https://nvd.nist.gov/vuln/detail/CVE-2023-24532","go","5.3","1.17.13-linux-amd64-bootstrap","","","","2023A0000024532","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-5752","https://nvd.nist.gov/vuln/detail/CVE-2023-5752","pip","3.3","23.0.1-source","23.2.1","23.3.1","pip","2023A0000005752","False","","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-5535","https://nvd.nist.gov/vuln/detail/CVE-2023-5535","vim","7.8","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000005535","False","","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-5441","https://nvd.nist.gov/vuln/detail/CVE-2023-5441","vim","5.5","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000005441","False","","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-5344","https://nvd.nist.gov/vuln/detail/CVE-2023-5344","vim","7.5","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000005344","False","","fix_update_to_version_upstream","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-5217","https://nvd.nist.gov/vuln/detail/CVE-2023-5217","libvpx","8.8","1.13.1","1.13.1","1.13.1","libvpx","2023A0000005217","False","","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/259881 +https://github.com/NixOS/nixpkgs/pull/260189 +https://github.com/NixOS/nixpkgs/pull/261404 +https://github.com/NixOS/nixpkgs/pull/262808 +https://github.com/NixOS/nixpkgs/pull/262812" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-5156","https://nvd.nist.gov/vuln/detail/CVE-2023-5156","glibc","7.5","2.37-45","","","","2023A0000005156","False","","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-4781","https://nvd.nist.gov/vuln/detail/CVE-2023-4781","vim","7.8","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000004781","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-4752","https://nvd.nist.gov/vuln/detail/CVE-2023-4752","vim","7.8","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000004752","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-4750","https://nvd.nist.gov/vuln/detail/CVE-2023-4750","vim","7.8","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000004750","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-4738","https://nvd.nist.gov/vuln/detail/CVE-2023-4738","vim","7.8","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000004738","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-4736","https://nvd.nist.gov/vuln/detail/CVE-2023-4736","vim","7.8","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000004736","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-4735","https://nvd.nist.gov/vuln/detail/CVE-2023-4735","vim","7.8","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000004735","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-4734","https://nvd.nist.gov/vuln/detail/CVE-2023-4734","vim","7.8","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000004734","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-4733","https://nvd.nist.gov/vuln/detail/CVE-2023-4733","vim","7.8","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000004733","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-4527","https://nvd.nist.gov/vuln/detail/CVE-2023-4527","glibc","6.5","2.37-45","","","","2023A0000004527","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/256887" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-4135","https://nvd.nist.gov/vuln/detail/CVE-2023-4135","qemu","6.5","8.0.5","8.1.2","8.1.2","qemu","2023A0000004135","False","Fixed upstream in 8.1.0.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/261753" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-4039","https://nvd.nist.gov/vuln/detail/CVE-2023-4039","gcc","4.8","12.2.0","12.3.0","13.2.0","gcc","2023A0000004039","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-4016","https://nvd.nist.gov/vuln/detail/CVE-2023-4016","procps","5.5","3.3.17","","","","2023A0000004016","False","See: https://gitlab.com/procps-ng/procps/-/issues/297. Notice: repology package name is procps-ng: https://repology.org/project/procps-ng/versions.","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/256065 +https://github.com/NixOS/nixpkgs/pull/256150 +https://github.com/NixOS/nixpkgs/pull/264266" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-3603","https://nvd.nist.gov/vuln/detail/CVE-2023-3603","libssh","6.5","0.10.5","","","","2023A0000003603","True","Based on https://security-tracker.debian.org/tracker/CVE-2023-3603 and https://bugzilla.redhat.com/show_bug.cgi?id=2221791, vulnerable code is not present in 0.10.5 or any currently released version.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-3354","https://nvd.nist.gov/vuln/detail/CVE-2023-3354","qemu","7.5","8.0.5","8.1.2","8.1.2","qemu","2023A0000003354","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/248659 +https://github.com/NixOS/nixpkgs/pull/261753" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-3180","https://nvd.nist.gov/vuln/detail/CVE-2023-3180","qemu","6.5","8.0.5","8.1.2","8.1.2","qemu","2023A0000003180","False","Fixed in 8.0.4: https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f. Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/251036.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/248659 +https://github.com/NixOS/nixpkgs/pull/261753" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-3019","https://nvd.nist.gov/vuln/detail/CVE-2023-3019","qemu","6.5","8.0.5","8.1.2","8.1.2","qemu","2023A0000003019","False","Revisit when fixed upstream: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-2680","https://nvd.nist.gov/vuln/detail/CVE-2023-2680","qemu","8.2","8.0.5","8.1.2","8.1.2","qemu","2023A0000002680","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-2610","https://nvd.nist.gov/vuln/detail/CVE-2023-2610","vim","7.8","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000002610","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-2609","https://nvd.nist.gov/vuln/detail/CVE-2023-2609","vim","5.5","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000002609","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-2426","https://nvd.nist.gov/vuln/detail/CVE-2023-2426","vim","5.5","9.0.1441","9.0.1897","9.0.2092","vim","2023A0000002426","False","Backport nixpkgs PR https://github.com/NixOS/nixpkgs/pull/254666 to 23.05 once it's merged to unstable/staging.","fix_update_to_version_nixpkgs","https://github.com/NixOS/nixpkgs/pull/254666 +https://github.com/NixOS/nixpkgs/pull/261952" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2023-1386","https://nvd.nist.gov/vuln/detail/CVE-2023-1386","qemu","7.8","8.0.5","8.1.2","8.1.2","qemu","2023A0000001386","False","Revisit when fixed upstream: https://github.com/v9fs/linux/issues/29.","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2023-877","https://osv.dev/OSV-2023-877","libbpf","","1.2.0","1.2.2","1.2.2","libbpf","2023A0000000877","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2023-505","https://osv.dev/OSV-2023-505","file","","5.44","5.45","5.45","file","2023A0000000505","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2023-390","https://osv.dev/OSV-2023-390","qemu","","8.0.5","8.1.2","8.1.2","qemu","2023A0000000390","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2023-137","https://osv.dev/OSV-2023-137","harfbuzz","","7.2.0","","","","2023A0000000137","True","Based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56510#c2, the issue is fixed in range https://github.com/harfbuzz/harfbuzz/compare/67e01c1292821e7b6fc2ab13acddb84ab41b2187...60841e26187576bff477c1a09ee2ffe544844abc all of which have been merged in 7.1.0.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-48434","https://nvd.nist.gov/vuln/detail/CVE-2022-48434","ffmpeg","8.1","4.4.4","","","","2022A0000048434","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.3 https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-43552","https://nvd.nist.gov/vuln/detail/CVE-2022-43552","curl","5.9","0.4.44","","","","2022A0000043552","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/207158 +https://github.com/NixOS/nixpkgs/pull/207162 +https://github.com/NixOS/nixpkgs/pull/207165" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-43357","https://nvd.nist.gov/vuln/detail/CVE-2022-43357","sassc","7.5","3.6.2","3.6.2","3.6.2","sassc","2022A0000043357","False","","fix_not_available","https://github.com/NixOS/nixpkgs/pull/264177" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","PYSEC-2022-42969","https://osv.dev/PYSEC-2022-42969","py","","1.11.0","","","","2022A0000042969","True","Same as CVE-2022-42969.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-42969","https://nvd.nist.gov/vuln/detail/CVE-2022-42969","py","7.5","1.11.0","","","","2022A0000042969","True","Disputed upstream: https://github.com/pytest-dev/py/issues/287#issuecomment-1283567565.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-41725","https://nvd.nist.gov/vuln/detail/CVE-2022-41725","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2022A0000041725","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-41724","https://nvd.nist.gov/vuln/detail/CVE-2022-41724","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2022A0000041724","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-41723","https://nvd.nist.gov/vuln/detail/CVE-2022-41723","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2022A0000041723","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-41722","https://nvd.nist.gov/vuln/detail/CVE-2022-41722","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2022A0000041722","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-41720","https://nvd.nist.gov/vuln/detail/CVE-2022-41720","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2022A0000041720","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-41717","https://nvd.nist.gov/vuln/detail/CVE-2022-41717","go","5.3","1.17.13-linux-amd64-bootstrap","","","","2022A0000041717","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-41716","https://nvd.nist.gov/vuln/detail/CVE-2022-41716","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2022A0000041716","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-41715","https://nvd.nist.gov/vuln/detail/CVE-2022-41715","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2022A0000041715","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-38663","https://nvd.nist.gov/vuln/detail/CVE-2022-38663","git","6.5","2.40.1","","","","2022A0000038663","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-37416","https://nvd.nist.gov/vuln/detail/CVE-2022-37416","libmpeg2","6.5","0.5.1","","","","2022A0000037416","True","NVD data issue: concerns Android only.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-36884","https://nvd.nist.gov/vuln/detail/CVE-2022-36884","git","5.3","2.40.1","","","","2022A0000036884","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-36883","https://nvd.nist.gov/vuln/detail/CVE-2022-36883","git","7.5","2.40.1","","","","2022A0000036883","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-36882","https://nvd.nist.gov/vuln/detail/CVE-2022-36882","git","8.8","2.40.1","","","","2022A0000036882","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-36073","https://nvd.nist.gov/vuln/detail/CVE-2022-36073","rubygems","8.8","3.4.13","","","","2022A0000036073","True","Latest impacted version in 3.x is 3.0.4.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-35252","https://nvd.nist.gov/vuln/detail/CVE-2022-35252","curl","3.7","0.4.44","","","","2022A0000035252","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/189083 +https://github.com/NixOS/nixpkgs/pull/198730" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-32221","https://nvd.nist.gov/vuln/detail/CVE-2022-32221","curl","9.8","0.4.44","","","","2022A0000032221","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/198730" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-32206","https://nvd.nist.gov/vuln/detail/CVE-2022-32206","curl","6.5","0.4.44","","","","2022A0000032206","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/179314 +https://github.com/NixOS/nixpkgs/pull/180021" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-30949","https://nvd.nist.gov/vuln/detail/CVE-2022-30949","git","5.3","2.40.1","","","","2022A0000030949","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-30947","https://nvd.nist.gov/vuln/detail/CVE-2022-30947","git","7.5","2.40.1","","","","2022A0000030947","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-28321","https://nvd.nist.gov/vuln/detail/CVE-2022-28321","linux-pam","9.8","1.5.2","","","","2022A0000028321","True","Only impacts SUSE-specific patch version. Notice: repology package name is pam: https://repology.org/project/pam/versions.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-27782","https://nvd.nist.gov/vuln/detail/CVE-2022-27782","curl","7.5","0.4.44","","","","2022A0000027782","False","","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-27781","https://nvd.nist.gov/vuln/detail/CVE-2022-27781","curl","7.5","0.4.44","","","","2022A0000027781","False","","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-27776","https://nvd.nist.gov/vuln/detail/CVE-2022-27776","curl","6.5","0.4.44","","","","2022A0000027776","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/170654 +https://github.com/NixOS/nixpkgs/pull/170659" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-27664","https://nvd.nist.gov/vuln/detail/CVE-2022-27664","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2022A0000027664","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-26691","https://nvd.nist.gov/vuln/detail/CVE-2022-26691","cups","6.7","2.4.7","","","","2022A0000026691","True","Fixed in nixpkgs with PR: https://github.com/NixOS/nixpkgs/pull/174898.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-26592","https://nvd.nist.gov/vuln/detail/CVE-2022-26592","libsass","8.8","3.6.5","","","","2022A0000026592","True","Pending upstream fix: https://github.com/sass/libsass/issues/3174.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","MAL-2022-4301","https://osv.dev/MAL-2022-4301","libidn2","","2.3.4","","","","2022A0000004301","True","Incorrect package: Issue refers npm libidn2, whereas, nixpkgs refers libidn2 https://gitlab.com/libidn/libidn2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-3965","https://nvd.nist.gov/vuln/detail/CVE-2022-3965","ffmpeg","8.1","5.1.3","","","","2022A0000003965","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 5.1.x is merged in 5.1.3 https://github.com/FFmpeg/FFmpeg/commit/7c234248f859baa35e55c3dbbb7a359eae1c5257.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-3964","https://nvd.nist.gov/vuln/detail/CVE-2022-3964","ffmpeg","8.1","5.1.3","","","","2022A0000003964","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/ad28b01a141703b831256b712e0613281b15fcf0.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-3964","https://nvd.nist.gov/vuln/detail/CVE-2022-3964","ffmpeg","8.1","4.4.4","","","","2022A0000003964","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/ad28b01a141703b831256b712e0613281b15fcf0.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-3341","https://nvd.nist.gov/vuln/detail/CVE-2022-3341","ffmpeg","5.3","4.4.4","","","","2022A0000003341","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/c513bd48039a718dabf6d7a829efb6732693c04b.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-3219","https://nvd.nist.gov/vuln/detail/CVE-2022-3219","gnupg","3.3","2.4.0","","","","2022A0000003219","True","Fix patch is not accepted upstream: https://dev.gnupg.org/D556.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-3109","https://nvd.nist.gov/vuln/detail/CVE-2022-3109","ffmpeg","7.5","4.4.4","","","","2022A0000003109","True","Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 https://github.com/FFmpeg/FFmpeg/commit/4d82b7bac42c9d35d4f9f145a85e6cbc1fe914f2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-2880","https://nvd.nist.gov/vuln/detail/CVE-2022-2880","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2022A0000002880","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-2879","https://nvd.nist.gov/vuln/detail/CVE-2022-2879","go","7.5","1.17.13-linux-amd64-bootstrap","","","","2022A0000002879","True","See the discussion in: https://github.com/NixOS/nixpkgs/pull/241776.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2022-1193","https://osv.dev/OSV-2022-1193","libarchive","","3.6.2","","","","2022A0000001193","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53594#c3.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2022-908","https://osv.dev/OSV-2022-908","bluez","","5.66","5.66","5.70","bluez","2022A0000000908","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2022-896","https://osv.dev/OSV-2022-896","libsass","","3.6.5","3.6.5","3.6.5","libsass","2022A0000000896","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2022-859","https://osv.dev/OSV-2022-859","bluez","","5.66","5.66","5.70","bluez","2022A0000000859","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2022-0856","https://nvd.nist.gov/vuln/detail/CVE-2022-0856","libcaca","6.5","0.99.beta20","","","","2022A0000000856","True","Crash in CLI tool, no security impact.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2022-842","https://osv.dev/OSV-2022-842","wolfssl","","5.5.4","","","","2022A0000000842","False","Unclear if this is still valid.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2022-725","https://osv.dev/OSV-2022-725","libjxl","","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000725","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2022-608","https://osv.dev/OSV-2022-608","libjxl","","0.8.2","0.8.2","0.8.2","libjxl","2022A0000000608","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2022-581","https://osv.dev/OSV-2022-581","qemu","","8.0.5","8.1.2","8.1.2","qemu","2022A0000000581","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2022-530","https://osv.dev/OSV-2022-530","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2022A0000000530","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2022-519","https://osv.dev/OSV-2022-519","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2022A0000000519","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2022-462","https://osv.dev/OSV-2022-462","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2022A0000000462","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2022-416","https://osv.dev/OSV-2022-416","openjpeg","","2.5.0","","","","2022A0000000416","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47500#c2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2022-394","https://osv.dev/OSV-2022-394","opencv","","4.7.0","4.7.0","4.8.1","opencv","2022A0000000394","False","No attention from upstream: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47190.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2022-193","https://osv.dev/OSV-2022-193","w3m","","0.5.3+git20230121","0.5.3+git20230121","0.5.3+git20230121","w3m","2022A0000000193","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2022-183","https://osv.dev/OSV-2022-183","binutils","","2.40","","","","2022A0000000183","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44864#c2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","GHSA-mc7w-4cjf-c973","https://osv.dev/GHSA-mc7w-4cjf-c973","opencv","","4.7.0","","","","2021A1633564800","True","Incorrect package: Issue refers node-opencv, whereas, nixpkgs refers opencv https://github.com/opencv/opencv.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-46312","https://nvd.nist.gov/vuln/detail/CVE-2021-46312","djvulibre","6.5","3.5.28","3.5.28","3.5.28","djvulibre","2021A0000046312","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-46310","https://nvd.nist.gov/vuln/detail/CVE-2021-46310","djvulibre","6.5","3.5.28","3.5.28","3.5.28","djvulibre","2021A0000046310","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-39205","https://nvd.nist.gov/vuln/detail/CVE-2021-39205","jitsi-meet","6.1","1.0.6943","","","","2021A0000039205","True","Does not impact the version in nixpkgs as mentioned in https://github.com/NixOS/nixpkgs/issues/142979#issuecomment-964291845.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-33506","https://nvd.nist.gov/vuln/detail/CVE-2021-33506","jitsi-meet","7.5","1.0.6943","","","","2021A0000033506","True","Fixed in nixpkgs as mentioned in https://github.com/NixOS/nixpkgs/issues/132134#issuecomment-890319135.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-33468","https://nvd.nist.gov/vuln/detail/CVE-2021-33468","yasm","5.5","1.3.0","","","","2021A0000033468","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-33467","https://nvd.nist.gov/vuln/detail/CVE-2021-33467","yasm","5.5","1.3.0","","","","2021A0000033467","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-33466","https://nvd.nist.gov/vuln/detail/CVE-2021-33466","yasm","5.5","1.3.0","","","","2021A0000033466","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-33465","https://nvd.nist.gov/vuln/detail/CVE-2021-33465","yasm","5.5","1.3.0","","","","2021A0000033465","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-33464","https://nvd.nist.gov/vuln/detail/CVE-2021-33464","yasm","5.5","1.3.0","","","","2021A0000033464","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-33463","https://nvd.nist.gov/vuln/detail/CVE-2021-33463","yasm","5.5","1.3.0","","","","2021A0000033463","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-33462","https://nvd.nist.gov/vuln/detail/CVE-2021-33462","yasm","5.5","1.3.0","","","","2021A0000033462","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-33461","https://nvd.nist.gov/vuln/detail/CVE-2021-33461","yasm","5.5","1.3.0","","","","2021A0000033461","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-33460","https://nvd.nist.gov/vuln/detail/CVE-2021-33460","yasm","5.5","1.3.0","","","","2021A0000033460","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-33459","https://nvd.nist.gov/vuln/detail/CVE-2021-33459","yasm","5.5","1.3.0","","","","2021A0000033459","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-33458","https://nvd.nist.gov/vuln/detail/CVE-2021-33458","yasm","5.5","1.3.0","","","","2021A0000033458","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-33457","https://nvd.nist.gov/vuln/detail/CVE-2021-33457","yasm","5.5","1.3.0","","","","2021A0000033457","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-33456","https://nvd.nist.gov/vuln/detail/CVE-2021-33456","yasm","5.5","1.3.0","","","","2021A0000033456","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-33455","https://nvd.nist.gov/vuln/detail/CVE-2021-33455","yasm","5.5","1.3.0","","","","2021A0000033455","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-33454","https://nvd.nist.gov/vuln/detail/CVE-2021-33454","yasm","5.5","1.3.0","","","","2021A0000033454","True","Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-30499","https://nvd.nist.gov/vuln/detail/CVE-2021-30499","libcaca","7.8","0.99.beta20","","","","2021A0000030499","True","NVD data issue: CPE entry does not correctly state the version numbers. Issue is fixed in v0.99.beta20: https://github.com/cacalabs/libcaca/releases/tag/v0.99.beta20.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-26945","https://nvd.nist.gov/vuln/detail/CVE-2021-26945","openexr","5.5","2.5.8","","","","2021A0000026945","True","Fix patch https://github.com/AcademySoftwareFoundation/openexr/pull/930/commits/b73ec53bd24ba116d7bf48ebdc868301c596706e modifies a file that is not available in openexr 2. Thus, the fix doesn't apply to 2.5.8.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-26720","https://nvd.nist.gov/vuln/detail/CVE-2021-26720","avahi","7.8","0.8","","","","2021A0000026720","True","False positive: issue refers avahi-daemon-check-dns.sh in the Debian avahi package. As such, the issue is specific to Debian and its derivatives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-26260","https://nvd.nist.gov/vuln/detail/CVE-2021-26260","openexr","5.5","2.5.8","","","","2021A0000026260","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d which went to 2.5.5.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-23215","https://nvd.nist.gov/vuln/detail/CVE-2021-23215","openexr","5.5","2.5.8","","","","2021A0000023215","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d which went to 2.5.5.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-23169","https://nvd.nist.gov/vuln/detail/CVE-2021-23169","openexr","8.8","2.5.8","","","","2021A0000023169","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-21684","https://nvd.nist.gov/vuln/detail/CVE-2021-21684","git","6.1","2.40.1","","","","2021A0000021684","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-20255","https://nvd.nist.gov/vuln/detail/CVE-2021-20255","qemu","5.5","8.0.5","","","","2021A0000020255","True","Upstream patch not merged: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html. No point fixing this in nixpkgs as long as it is not fixed upstream.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-4336","https://nvd.nist.gov/vuln/detail/CVE-2021-4336","ninja","9.8","1.11.1","","","","2021A0000004336","True","Incorrect package: nixpkgs 'ninja' refers https://github.com/ninja-build/ninja, not https://github.com/ITRS-Group/monitor-ninja.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-4217","https://nvd.nist.gov/vuln/detail/CVE-2021-4217","unzip","3.3","6.0","","","","2021A0000004217","True","Ignored by other distribution as 'no security impact', e.g. Debian: https://security-tracker.debian.org/tracker/CVE-2021-4217.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-3605","https://nvd.nist.gov/vuln/detail/CVE-2021-3605","openexr","5.5","2.5.8","","","","2021A0000003605","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2021-3598","https://nvd.nist.gov/vuln/detail/CVE-2021-3598","openexr","5.5","2.5.8","","","","2021A0000003598","True","False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR https://github.com/AcademySoftwareFoundation/openexr/pull/1040 which went to 2.5.7.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2021-1157","https://osv.dev/OSV-2021-1157","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001157","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2021-1141","https://osv.dev/OSV-2021-1141","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001141","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2021-1110","https://osv.dev/OSV-2021-1110","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001110","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2021-1041","https://osv.dev/OSV-2021-1041","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001041","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2021-1024","https://osv.dev/OSV-2021-1024","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000001024","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2021-820","https://osv.dev/OSV-2021-820","qemu","","8.0.5","","","","2021A0000000820","True","Fixed based on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34831#c2.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2021-802","https://osv.dev/OSV-2021-802","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000000802","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2021-787","https://osv.dev/OSV-2021-787","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000000787","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2021-777","https://osv.dev/OSV-2021-777","libxml2","","2.10.4","","","","2021A0000000777","True","Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325, which went to 2.9.13. Therefore, this issue is fixed in 2.10.4.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2021-765","https://osv.dev/OSV-2021-765","espeak-ng","","1.51.1","1.51.1","1.51.1","espeak-ng","2021A0000000765","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2021-508","https://osv.dev/OSV-2021-508","libsass","","3.6.5","3.6.5","3.6.5","libsass","2021A0000000508","False","Unclear if this is still valid.","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","GHSA-f698-m2v9-5fh3","https://osv.dev/GHSA-f698-m2v9-5fh3","opencv","","4.7.0","","","","2020A1598832000","True","Incorrect package: issue refers node-opencv https://www.npmjs.com/package/opencv, whereas nixpkgs refers https://github.com/opencv/opencv.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2020-35669","https://nvd.nist.gov/vuln/detail/CVE-2020-35669","http","6.1","0.2.9","0.3-0","0.4","lua:http","2020A0000035669","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2020-24490","https://nvd.nist.gov/vuln/detail/CVE-2020-24490","bluez","6.5","5.66","","","","2020A0000024490","True","Fixed in linux kernel (5.8) with: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=a2ec905d1e160a33b2e210e45ad30445ef26ce0e.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2020-18781","https://nvd.nist.gov/vuln/detail/CVE-2020-18781","audiofile","5.5","0.3.6","0.3.6","0.3.6","audiofile","2020A0000018781","False","","fix_not_available","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2020-16194","https://nvd.nist.gov/vuln/detail/CVE-2020-16194","quote","5.3","1.0.33","","","","2020A0000016194","True","Incorrect package: Issue concerns prestashop product: https://prestashop.com/, whereas, nixpkgs ""quote"" refers rust package 'quote': https://docs.rs/quote/latest/quote/.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2020-16194","https://nvd.nist.gov/vuln/detail/CVE-2020-16194","quote","5.3","1.0.20","","","","2020A0000016194","True","Incorrect package: Issue concerns prestashop product: https://prestashop.com/, whereas, nixpkgs ""quote"" refers rust package 'quote': https://docs.rs/quote/latest/quote/.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2020-8284","https://nvd.nist.gov/vuln/detail/CVE-2020-8284","curl","3.7","0.4.44","","","","2020A0000008284","False","","err_missing_repology_version","https://github.com/NixOS/nixpkgs/pull/106452" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2020-2136","https://nvd.nist.gov/vuln/detail/CVE-2020-2136","git","5.4","2.40.1","2.42.0","2.42.1","git","2020A0000002136","False","","err_not_vulnerable_based_on_repology","https://github.com/NixOS/nixpkgs/pull/82872 +https://github.com/NixOS/nixpkgs/pull/84664" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2020-1610","https://osv.dev/OSV-2020-1610","openexr","","2.5.8","3.2.0","3.2.1","openexr","2020A0000001610","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2020-1420","https://osv.dev/OSV-2020-1420","libsass","","3.6.5","3.6.5","3.6.5","libsass","2020A0000001420","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2020-862","https://osv.dev/OSV-2020-862","libsass","","3.6.5","3.6.5","3.6.5","libsass","2020A0000000862","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2020-822","https://osv.dev/OSV-2020-822","jbig2dec","","0.19","0.19","0.20","jbig2dec","2020A0000000822","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2020-521","https://osv.dev/OSV-2020-521","aspell","","0.60.8","0.60.8","0.60.8","aspell","2020A0000000521","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2020-438","https://osv.dev/OSV-2020-438","capstone","","4.0.2","4.0.2","5.0.1","capstone","2020A0000000438","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","OSV-2020-438","https://osv.dev/OSV-2020-438","capstone","","4.0.2","4.0.2","5.0.1","python:capstone","2020A0000000438","False","","err_not_vulnerable_based_on_repology","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-1003010","https://nvd.nist.gov/vuln/detail/CVE-2019-1003010","git","4.3","2.40.1","","","","2019A0001003010","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-20633","https://nvd.nist.gov/vuln/detail/CVE-2019-20633","patch","5.5","2.7.6","","","","2019A0000020633","True","Upstream patch is not merged: https://savannah.gnu.org/bugs/index.php?56683. Not sure why this isn't fixed upstream. No point fixing this in nixpkgs as long as it is not fixed upstream.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","6.5","3.11.0","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","6.5","2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-14900","https://nvd.nist.gov/vuln/detail/CVE-2019-14900","fuse","6.5","2.9.9","","","","2019A0000014900","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","6.5","3.11.0","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","6.5","2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-14860","https://nvd.nist.gov/vuln/detail/CVE-2019-14860","fuse","6.5","2.9.9","","","","2019A0000014860","True","Incorrect package: Issue concerns redhat fuse (https://developers.redhat.com/products/fuse/overview) not libfuse https://github.com/libfuse/libfuse/ which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-14587","https://nvd.nist.gov/vuln/detail/CVE-2019-14587","edk2","6.5","202211","","","","2019A0000014587","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-14586","https://nvd.nist.gov/vuln/detail/CVE-2019-14586","edk2","8","202211","","","","2019A0000014586","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-14575","https://nvd.nist.gov/vuln/detail/CVE-2019-14575","edk2","7.8","202211","","","","2019A0000014575","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-14563","https://nvd.nist.gov/vuln/detail/CVE-2019-14563","edk2","7.8","202211","","","","2019A0000014563","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-14562","https://nvd.nist.gov/vuln/detail/CVE-2019-14562","edk2","5.5","202211","","","","2019A0000014562","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-14559","https://nvd.nist.gov/vuln/detail/CVE-2019-14559","edk2","7.5","202211","","","","2019A0000014559","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-14553","https://nvd.nist.gov/vuln/detail/CVE-2019-14553","edk2","4.9","202211","","","","2019A0000014553","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-12749","https://nvd.nist.gov/vuln/detail/CVE-2019-12749","dbus","7.1","1","","","","2019A0000012749","True","Fixed with https://github.com/NixOS/nixpkgs/pull/63021 (dbus version '1' in nixpkgs currently refers 1.14.8).","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-12067","https://nvd.nist.gov/vuln/detail/CVE-2019-12067","qemu","6.5","8.0.5","","","","2019A0000012067","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-6470","https://nvd.nist.gov/vuln/detail/CVE-2019-6470","bind","7.5","9.18.19","","","","2019A0000006470","True","Not valid: https://github.com/NixOS/nixpkgs/issues/73617#issuecomment-569491606.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-6462","https://nvd.nist.gov/vuln/detail/CVE-2019-6462","cairo","6.5","1.16.0","","","","2019A0000006462","True","Not a valid: https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-6461","https://nvd.nist.gov/vuln/detail/CVE-2019-6461","cairo","6.5","1.16.0","","","","2019A0000006461","True","Not valid: https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-6293","https://nvd.nist.gov/vuln/detail/CVE-2019-6293","flex","5.5","2.6.4","","","","2019A0000006293","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2019-5443","https://nvd.nist.gov/vuln/detail/CVE-2019-5443","curl","7.8","0.4.44","","","","2019A0000005443","False","","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2018-1000182","https://nvd.nist.gov/vuln/detail/CVE-2018-1000182","git","6.4","2.40.1","","","","2018A0001000182","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2018-1000110","https://nvd.nist.gov/vuln/detail/CVE-2018-1000110","git","5.3","2.40.1","","","","2018A0001000110","True","Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2018-18438","https://nvd.nist.gov/vuln/detail/CVE-2018-18438","qemu","5.5","8.0.5","","","","2018A0000018438","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2018-13410","https://nvd.nist.gov/vuln/detail/CVE-2018-13410","zip","9.8","3.0","","","","2018A0000013410","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2018-7263","https://nvd.nist.gov/vuln/detail/CVE-2018-7263","libmad","9.8","0.15.1b","","","","2018A0000007263","True","Based on https://github.com/NixOS/nixpkgs/issues/57154, issue is fixed by https://github.com/NixOS/nixpkgs/commit/92edb0610923fab5a9dcc59b94652f1e8a5ea1ed.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2018-6553","https://nvd.nist.gov/vuln/detail/CVE-2018-6553","cups","8.8","2.4.7","","","","2018A0000006553","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2017-5628","https://nvd.nist.gov/vuln/detail/CVE-2017-5628","mujs","7.8","1.3.3","","","","2017A0000005628","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2017-5627","https://nvd.nist.gov/vuln/detail/CVE-2017-5627","mujs","7.8","1.3.3","","","","2017A0000005627","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2017-5436","https://nvd.nist.gov/vuln/detail/CVE-2017-5436","graphite2","8.8","1.3.14","","","","2017A0000005436","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-10141","https://nvd.nist.gov/vuln/detail/CVE-2016-10141","mujs","9.8","1.3.3","","","","2016A0000010141","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-10133","https://nvd.nist.gov/vuln/detail/CVE-2016-10133","mujs","9.8","1.3.3","","","","2016A0000010133","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-10132","https://nvd.nist.gov/vuln/detail/CVE-2016-10132","mujs","7.5","1.3.3","","","","2016A0000010132","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-9294","https://nvd.nist.gov/vuln/detail/CVE-2016-9294","mujs","7.5","1.3.3","","","","2016A0000009294","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-9136","https://nvd.nist.gov/vuln/detail/CVE-2016-9136","mujs","7.5","1.3.3","","","","2016A0000009136","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-9109","https://nvd.nist.gov/vuln/detail/CVE-2016-9109","mujs","7.5","1.3.3","","","","2016A0000009109","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-9108","https://nvd.nist.gov/vuln/detail/CVE-2016-9108","mujs","7.5","1.3.3","","","","2016A0000009108","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-9017","https://nvd.nist.gov/vuln/detail/CVE-2016-9017","mujs","7.5","1.3.3","","","","2016A0000009017","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-7564","https://nvd.nist.gov/vuln/detail/CVE-2016-7564","mujs","7.5","1.3.3","","","","2016A0000007564","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-7563","https://nvd.nist.gov/vuln/detail/CVE-2016-7563","mujs","7.5","1.3.3","","","","2016A0000007563","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-7506","https://nvd.nist.gov/vuln/detail/CVE-2016-7506","mujs","7.5","1.3.3","","","","2016A0000007506","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-7504","https://nvd.nist.gov/vuln/detail/CVE-2016-7504","mujs","9.8","1.3.3","","","","2016A0000007504","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-6131","https://nvd.nist.gov/vuln/detail/CVE-2016-6131","libiberty","7.5","12.2.0","","","","2016A0000006131","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-4493","https://nvd.nist.gov/vuln/detail/CVE-2016-4493","libiberty","5.5","12.2.0","","","","2016A0000004493","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-4492","https://nvd.nist.gov/vuln/detail/CVE-2016-4492","libiberty","4.4","12.2.0","","","","2016A0000004492","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-4491","https://nvd.nist.gov/vuln/detail/CVE-2016-4491","libiberty","5.5","12.2.0","","","","2016A0000004491","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-4490","https://nvd.nist.gov/vuln/detail/CVE-2016-4490","libiberty","5.5","12.2.0","","","","2016A0000004490","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-4489","https://nvd.nist.gov/vuln/detail/CVE-2016-4489","libiberty","5.5","12.2.0","","","","2016A0000004489","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-4488","https://nvd.nist.gov/vuln/detail/CVE-2016-4488","libiberty","5.5","12.2.0","","","","2016A0000004488","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-4487","https://nvd.nist.gov/vuln/detail/CVE-2016-4487","libiberty","5.5","12.2.0","","","","2016A0000004487","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-2781","https://nvd.nist.gov/vuln/detail/CVE-2016-2781","coreutils","6.5","9.1","","","","2016A0000002781","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2016-2226","https://nvd.nist.gov/vuln/detail/CVE-2016-2226","libiberty","7.8","12.2.0","","","","2016A0000002226","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2015-7313","https://nvd.nist.gov/vuln/detail/CVE-2015-7313","libtiff","5.5","4.5.1","","","","2015A0000007313","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2014-9157","https://nvd.nist.gov/vuln/detail/CVE-2014-9157","graphviz","","7.1.0","","","","2014A0000009157","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2014-4860","https://nvd.nist.gov/vuln/detail/CVE-2014-4860","edk2","6.8","202211","","","","2014A0000004860","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2014-4859","https://nvd.nist.gov/vuln/detail/CVE-2014-4859","edk2","6.8","202211","","","","2014A0000004859","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2012-3509","https://nvd.nist.gov/vuln/detail/CVE-2012-3509","libiberty","","12.2.0","","","","2012A0000003509","True","NVD data issue: CPE entry does not correctly state the version numbers.","err_missing_repology_version","" +"packages.x86_64-linux.generic-x86_64-release","github:tiiuae/ghaf?ref=ghaf-23.09","lock_updated","CVE-2010-4226","https://nvd.nist.gov/vuln/detail/CVE-2010-4226","cpio","","2.14","","","","2010A0000004226","True","NVD data issue: concerns OpenSuSE, not cpio.","err_missing_repology_version","" diff --git a/reports/ghaf-23.09/data.csv.license b/reports/ghaf-23.09/data.csv.license new file mode 100644 index 0000000..5cc74e1 --- /dev/null +++ b/reports/ghaf-23.09/data.csv.license @@ -0,0 +1,3 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 diff --git a/reports/ghaf-23.09/packages.x86_64-linux.generic-x86_64-release.md b/reports/ghaf-23.09/packages.x86_64-linux.generic-x86_64-release.md new file mode 100644 index 0000000..6e52a70 --- /dev/null +++ b/reports/ghaf-23.09/packages.x86_64-linux.generic-x86_64-release.md @@ -0,0 +1,371 @@ + + +# Vulnerability Report + +This vulnerability report is generated for Ghaf target `github:tiiuae/ghaf?ref=ghaf-23.09#packages.x86_64-linux.generic-x86_64-release` revision https://github.com/tiiuae/ghaf/commit/a8496da812f39f8bd8927faadf3d573c512ed0bf. The tables on this page include known vulnerabilities impacting buildtime or runtime dependencies of the given target. + +This report is automatically generated as specified on the [Vulnerability Scan](../../.github/workflows/vulnerability-scan.yml) GitHub action workflow. It uses the tooling from [sbomnix](https://github.com/tiiuae/sbomnix) repository, such as [vulnxscan](https://github.com/tiiuae/sbomnix/tree/main/scripts/vulnxscan), as well as the manual analysis results maintained in the [manual_analysis.csv](../../manual_analysis.csv) file. + +See section [Theory of Operation](https://github.com/tiiuae/ghafscan#theory-of-operation) in the [ghafscan README.md](https://github.com/tiiuae/ghafscan/blob/main/README.md) for details of how the data on this report is generated. + +Reports +================= + +* [Vulnerabilities Fixed in Ghaf nixpkgs Upstream](#vulnerabilities-fixed-in-ghaf-nixpkgs-upstream) +* [Vulnerabilities Fixed in nix-unstable](#vulnerabilities-fixed-in-nix-unstable) +* [New Vulnerabilities Since Last Run](#new-vulnerabilities-since-last-run) +* [All Vulnerabilities Impacting Ghaf](#all-vulnerabilities-impacting-ghaf) +* [Whitelisted Vulnerabilities](#whitelisted-vulnerabilities) + +## Vulnerabilities Fixed in Ghaf nixpkgs Upstream + +Following table lists vulnerabilities that have been fixed in the nixpkgs channel the Ghaf target is currently pinned to, but the fixes have not been included in Ghaf. + +Update the target Ghaf [flake.lock](https://github.com/tiiuae/ghaf/blob/main/flake.lock) file to mitigate the following issues: + + +| vuln_id | package | severity | version_local | nix_unstable | upstream | comment | +|-------------------------------------------------------------------|-----------|------------|------------------|----------------|------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [CVE-2023-40359](https://nvd.nist.gov/vuln/detail/CVE-2023-40359) | xterm | 9.8 | 379 | 384 | 388 | Backport to 23.05 ongoing in PR: [link](https://github.com/NixOS/nixpkgs/pull/254541). *[[PR](https://github.com/NixOS/nixpkgs/pull/244141), [PR](https://github.com/NixOS/nixpkgs/pull/254541), [PR](https://github.com/NixOS/nixpkgs/pull/258619)]* | +| [CVE-2023-4863](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) | libwebp | 8.8 | 1.3.1 | 1.3.2 | 1.3.2 | *[[PR](https://github.com/NixOS/nixpkgs/pull/255339), [PR](https://github.com/NixOS/nixpkgs/pull/255786), [PR](https://github.com/NixOS/nixpkgs/pull/255959), [PR](https://github.com/NixOS/nixpkgs/pull/258217), [PR](https://github.com/NixOS/nixpkgs/pull/258430)]* | +| [CVE-2023-43787](https://nvd.nist.gov/vuln/detail/CVE-2023-43787) | libX11 | 7.8 | 1.8.6 | 1.8.7 | 1.8.7 | *[[PR](https://github.com/NixOS/nixpkgs/pull/258841), [PR](https://github.com/NixOS/nixpkgs/pull/258996)]* | +| [CVE-2023-4807](https://nvd.nist.gov/vuln/detail/CVE-2023-4807) | openssl | 7.8 | 3.0.10 | 3.0.11 | 3.1.4 | *[[PR](https://github.com/NixOS/nixpkgs/pull/254106), [PR](https://github.com/NixOS/nixpkgs/pull/254185), [PR](https://github.com/NixOS/nixpkgs/pull/254574), [PR](https://github.com/NixOS/nixpkgs/pull/256127), [PR](https://github.com/NixOS/nixpkgs/pull/265619)]* | +| [CVE-2023-4504](https://nvd.nist.gov/vuln/detail/CVE-2023-4504) | cups | 7.8 | 2.4.6 | 2.4.7 | 2.4.7 | *[[PR](https://github.com/NixOS/nixpkgs/pull/256378), [PR](https://github.com/NixOS/nixpkgs/pull/257637)]* | +| [CVE-2023-44488](https://nvd.nist.gov/vuln/detail/CVE-2023-44488) | libvpx | 7.5 | 1.13.0 | 1.13.1 | 1.13.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/258295), [PR](https://github.com/NixOS/nixpkgs/pull/258350), [PR](https://github.com/NixOS/nixpkgs/pull/259881), [PR](https://github.com/NixOS/nixpkgs/pull/260189)]* | +| [CVE-2023-38039](https://nvd.nist.gov/vuln/detail/CVE-2023-38039) | curl | 7.5 | 8.1.1 | 8.4.0 | 8.4.0.4 | *[[PR](https://github.com/NixOS/nixpkgs/pull/254962), [PR](https://github.com/NixOS/nixpkgs/pull/254963), [PR](https://github.com/NixOS/nixpkgs/pull/260378)]* | +| [CVE-2023-4236](https://nvd.nist.gov/vuln/detail/CVE-2023-4236) | bind | 7.5 | 9.18.16 | 9.18.19 | 9.18.19 | *[[PR](https://github.com/NixOS/nixpkgs/pull/256396), [PR](https://github.com/NixOS/nixpkgs/pull/256469)]* | +| [CVE-2023-3341](https://nvd.nist.gov/vuln/detail/CVE-2023-3341) | bind | 7.5 | 9.18.16 | 9.18.19 | 9.18.19 | *[[PR](https://github.com/NixOS/nixpkgs/pull/256396), [PR](https://github.com/NixOS/nixpkgs/pull/256469)]* | +| [CVE-2023-39319](https://nvd.nist.gov/vuln/detail/CVE-2023-39319) | go | 6.1 | 1.20.7 | 1.21.3 | 1.21.4 | *[[PR](https://github.com/NixOS/nixpkgs/pull/259329), [PR](https://github.com/NixOS/nixpkgs/pull/266176)]* | +| [CVE-2023-39319](https://nvd.nist.gov/vuln/detail/CVE-2023-39319) | go | 6.1 | 1.17.13-linux-am | 1.21.3 | 1.21.4 | *[[PR](https://github.com/NixOS/nixpkgs/pull/259329), [PR](https://github.com/NixOS/nixpkgs/pull/266176)]* | +| [CVE-2023-39318](https://nvd.nist.gov/vuln/detail/CVE-2023-39318) | go | 6.1 | 1.20.7 | 1.21.3 | 1.21.4 | *[[PR](https://github.com/NixOS/nixpkgs/pull/259329), [PR](https://github.com/NixOS/nixpkgs/pull/266176)]* | +| [CVE-2023-39318](https://nvd.nist.gov/vuln/detail/CVE-2023-39318) | go | 6.1 | 1.17.13-linux-am | 1.21.3 | 1.21.4 | *[[PR](https://github.com/NixOS/nixpkgs/pull/259329), [PR](https://github.com/NixOS/nixpkgs/pull/266176)]* | +| [CVE-2023-43789](https://nvd.nist.gov/vuln/detail/CVE-2023-43789) | libXpm | 5.5 | 3.5.15 | 3.5.17 | 3.5.17 | *[[PR](https://github.com/NixOS/nixpkgs/pull/258841), [PR](https://github.com/NixOS/nixpkgs/pull/258996)]* | +| [CVE-2023-43788](https://nvd.nist.gov/vuln/detail/CVE-2023-43788) | libXpm | 5.5 | 3.5.15 | 3.5.17 | 3.5.17 | | +| [CVE-2023-43786](https://nvd.nist.gov/vuln/detail/CVE-2023-43786) | libX11 | 5.5 | 1.8.6 | 1.8.7 | 1.8.7 | *[[PR](https://github.com/NixOS/nixpkgs/pull/258841), [PR](https://github.com/NixOS/nixpkgs/pull/258996)]* | +| [CVE-2023-43785](https://nvd.nist.gov/vuln/detail/CVE-2023-43785) | libX11 | 5.5 | 1.8.6 | 1.8.7 | 1.8.7 | *[[PR](https://github.com/NixOS/nixpkgs/pull/258841), [PR](https://github.com/NixOS/nixpkgs/pull/258996)]* | +| [CVE-2023-40360](https://nvd.nist.gov/vuln/detail/CVE-2023-40360) | qemu | 5.5 | 8.0.4 | 8.1.2 | 8.1.2 | *[[PR](https://github.com/NixOS/nixpkgs/pull/251154), [PR](https://github.com/NixOS/nixpkgs/pull/261753)]* | +| [GHSA-j7hp-h8jx-5ppr](https://osv.dev/GHSA-j7hp-h8jx-5ppr) | electron | | 25.7.0 | 27.0.0 | 27.0.3 | | +| [GHSA-qqvq-6xgj-jw8g](https://osv.dev/GHSA-qqvq-6xgj-jw8g) | electron | | 25.7.0 | 27.0.0 | 27.0.3 | | + + +## Vulnerabilities Fixed in nix-unstable + +Following table lists vulnerabilities that have been fixed in nixpkgs nix-unstable channel, but the fixes have not been backported to the channel the Ghaf target is currently pinned to. + +Following issues potentially require backporting the fix from nixpkgs-unstable to the correct nixpkgs release branch. + +Consider [whitelisting](../../manual_analysis.csv) possible false positives based on manual analysis, or - if determined valid - help nixpkgs community backport the fix to the correct nixpkgs branch: + +```Error evaluating 'packages.x86_64-linux.generic-x86_64-release' on nix_unstable```

+For more details, see: https://github.com/tiiuae/ghafscan/actions + + +## New Vulnerabilities Since Last Run + +Following table lists vulnerabilities currently impacting the Ghaf target that have emerged since the last time this vulnerability report was generated. + +Consider [whitelisting](../../manual_analysis.csv) possible false positives based on manual analysis, or - if determined valid - help nixpkgs community fix the following issues in nixpkgs: + +```No vulnerabilities``` + + +## All Vulnerabilities Impacting Ghaf + +Following table lists all vulnerabilities currently impacting the Ghaf target. + +Consider [whitelisting](../../manual_analysis.csv) possible false positives based on manual analysis, or - if determined valid - help nixpkgs community fix the following issues in nixpkgs: + + +| vuln_id | package | severity | version_local | nix_unstable | upstream | comment | +|-------------------------------------------------------------------|------------|------------|------------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [CVE-2023-45853](https://nvd.nist.gov/vuln/detail/CVE-2023-45853) | zlib | 9.8 | 1.2.13 | 1.3 | 1.3 | *[[PR](https://github.com/NixOS/nixpkgs/pull/262722), [PR](https://github.com/NixOS/nixpkgs/pull/263083)]* | +| [CVE-2023-40359](https://nvd.nist.gov/vuln/detail/CVE-2023-40359) | xterm | 9.8 | 379 | 384 | 388 | Backport to 23.05 ongoing in PR: [link](https://github.com/NixOS/nixpkgs/pull/254541). *[[PR](https://github.com/NixOS/nixpkgs/pull/244141), [PR](https://github.com/NixOS/nixpkgs/pull/254541), [PR](https://github.com/NixOS/nixpkgs/pull/258619)]* | +| [CVE-2023-39323](https://nvd.nist.gov/vuln/detail/CVE-2023-39323) | go | 9.8 | 1.20.7 | 1.21.3 | 1.21.4 | *[[PR](https://github.com/NixOS/nixpkgs/pull/259329), [PR](https://github.com/NixOS/nixpkgs/pull/266176)]* | +| [CVE-2023-39323](https://nvd.nist.gov/vuln/detail/CVE-2023-39323) | go | 9.8 | 1.17.13-linux-am | 1.21.3 | 1.21.4 | *[[PR](https://github.com/NixOS/nixpkgs/pull/259329), [PR](https://github.com/NixOS/nixpkgs/pull/266176)]* | +| [CVE-2023-4863](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) | libwebp | 8.8 | 1.3.1 | 1.3.2 | 1.3.2 | *[[PR](https://github.com/NixOS/nixpkgs/pull/255339), [PR](https://github.com/NixOS/nixpkgs/pull/255786), [PR](https://github.com/NixOS/nixpkgs/pull/255959), [PR](https://github.com/NixOS/nixpkgs/pull/258217), [PR](https://github.com/NixOS/nixpkgs/pull/258430)]* | +| [CVE-2023-2680](https://nvd.nist.gov/vuln/detail/CVE-2023-2680) | qemu | 8.2 | 8.0.4 | 8.1.2 | 8.1.2 | | +| [CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) | perl | 8.1 | 5.36.0-env | 5.38.0 | 5.38.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/241848), [PR](https://github.com/NixOS/nixpkgs/pull/247547), [PR](https://github.com/NixOS/nixpkgs/pull/256402)]* | +| [CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) | perl | 8.1 | 5.36.0 | 5.38.0 | 5.38.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/241848), [PR](https://github.com/NixOS/nixpkgs/pull/247547), [PR](https://github.com/NixOS/nixpkgs/pull/256402)]* | +| [CVE-2023-43787](https://nvd.nist.gov/vuln/detail/CVE-2023-43787) | libX11 | 7.8 | 1.8.6 | 1.8.7 | 1.8.7 | *[[PR](https://github.com/NixOS/nixpkgs/pull/258841), [PR](https://github.com/NixOS/nixpkgs/pull/258996)]* | +| [CVE-2023-5535](https://nvd.nist.gov/vuln/detail/CVE-2023-5535) | vim | 7.8 | 9.0.1441 | 9.0.1897 | 9.0.2092 | | +| [CVE-2023-4807](https://nvd.nist.gov/vuln/detail/CVE-2023-4807) | openssl | 7.8 | 3.0.10 | 3.0.11 | 3.1.4 | *[[PR](https://github.com/NixOS/nixpkgs/pull/254106), [PR](https://github.com/NixOS/nixpkgs/pull/254185), [PR](https://github.com/NixOS/nixpkgs/pull/254574), [PR](https://github.com/NixOS/nixpkgs/pull/256127), [PR](https://github.com/NixOS/nixpkgs/pull/265619)]* | +| [CVE-2023-4781](https://nvd.nist.gov/vuln/detail/CVE-2023-4781) | vim | 7.8 | 9.0.1441 | 9.0.1897 | 9.0.2092 | Backport nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/254666) to 23.05 once it's merged to unstable/staging. *[[PR](https://github.com/NixOS/nixpkgs/pull/254666), [PR](https://github.com/NixOS/nixpkgs/pull/261952)]* | +| [CVE-2023-4752](https://nvd.nist.gov/vuln/detail/CVE-2023-4752) | vim | 7.8 | 9.0.1441 | 9.0.1897 | 9.0.2092 | Backport nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/254666) to 23.05 once it's merged to unstable/staging. *[[PR](https://github.com/NixOS/nixpkgs/pull/254666), [PR](https://github.com/NixOS/nixpkgs/pull/261952)]* | +| [CVE-2023-4750](https://nvd.nist.gov/vuln/detail/CVE-2023-4750) | vim | 7.8 | 9.0.1441 | 9.0.1897 | 9.0.2092 | Backport nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/254666) to 23.05 once it's merged to unstable/staging. *[[PR](https://github.com/NixOS/nixpkgs/pull/254666), [PR](https://github.com/NixOS/nixpkgs/pull/261952)]* | +| [CVE-2023-4738](https://nvd.nist.gov/vuln/detail/CVE-2023-4738) | vim | 7.8 | 9.0.1441 | 9.0.1897 | 9.0.2092 | Backport nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/254666) to 23.05 once it's merged to unstable/staging. *[[PR](https://github.com/NixOS/nixpkgs/pull/254666), [PR](https://github.com/NixOS/nixpkgs/pull/261952)]* | +| [CVE-2023-4736](https://nvd.nist.gov/vuln/detail/CVE-2023-4736) | vim | 7.8 | 9.0.1441 | 9.0.1897 | 9.0.2092 | Backport nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/254666) to 23.05 once it's merged to unstable/staging. *[[PR](https://github.com/NixOS/nixpkgs/pull/254666), [PR](https://github.com/NixOS/nixpkgs/pull/261952)]* | +| [CVE-2023-4735](https://nvd.nist.gov/vuln/detail/CVE-2023-4735) | vim | 7.8 | 9.0.1441 | 9.0.1897 | 9.0.2092 | Backport nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/254666) to 23.05 once it's merged to unstable/staging. *[[PR](https://github.com/NixOS/nixpkgs/pull/254666), [PR](https://github.com/NixOS/nixpkgs/pull/261952)]* | +| [CVE-2023-4734](https://nvd.nist.gov/vuln/detail/CVE-2023-4734) | vim | 7.8 | 9.0.1441 | 9.0.1897 | 9.0.2092 | Backport nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/254666) to 23.05 once it's merged to unstable/staging. *[[PR](https://github.com/NixOS/nixpkgs/pull/254666), [PR](https://github.com/NixOS/nixpkgs/pull/261952)]* | +| [CVE-2023-4733](https://nvd.nist.gov/vuln/detail/CVE-2023-4733) | vim | 7.8 | 9.0.1441 | 9.0.1897 | 9.0.2092 | Backport nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/254666) to 23.05 once it's merged to unstable/staging. *[[PR](https://github.com/NixOS/nixpkgs/pull/254666), [PR](https://github.com/NixOS/nixpkgs/pull/261952)]* | +| [CVE-2023-4504](https://nvd.nist.gov/vuln/detail/CVE-2023-4504) | cups | 7.8 | 2.4.6 | 2.4.7 | 2.4.7 | *[[PR](https://github.com/NixOS/nixpkgs/pull/256378), [PR](https://github.com/NixOS/nixpkgs/pull/257637)]* | +| [CVE-2023-2610](https://nvd.nist.gov/vuln/detail/CVE-2023-2610) | vim | 7.8 | 9.0.1441 | 9.0.1897 | 9.0.2092 | Backport nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/254666) to 23.05 once it's merged to unstable/staging. *[[PR](https://github.com/NixOS/nixpkgs/pull/254666), [PR](https://github.com/NixOS/nixpkgs/pull/261952)]* | +| [CVE-2023-1386](https://nvd.nist.gov/vuln/detail/CVE-2023-1386) | qemu | 7.8 | 8.0.4 | 8.1.2 | 8.1.2 | Revisit when fixed upstream: [link](https://github.com/v9fs/linux/issues/29). | +| [CVE-2023-44488](https://nvd.nist.gov/vuln/detail/CVE-2023-44488) | libvpx | 7.5 | 1.13.0 | 1.13.1 | 1.13.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/258295), [PR](https://github.com/NixOS/nixpkgs/pull/258350), [PR](https://github.com/NixOS/nixpkgs/pull/259881), [PR](https://github.com/NixOS/nixpkgs/pull/260189)]* | +| [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) | nghttp2 | 7.5 | 1.51.0 | 1.57.0 | 1.58.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/259329), [PR](https://github.com/NixOS/nixpkgs/pull/262022), [PR](https://github.com/NixOS/nixpkgs/pull/262713), [PR](https://github.com/NixOS/nixpkgs/pull/262718), [PR](https://github.com/NixOS/nixpkgs/pull/262738)]* | +| [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) | go | 7.5 | 1.20.7 | 1.21.3 | 1.21.4 | *[[PR](https://github.com/NixOS/nixpkgs/pull/259329), [PR](https://github.com/NixOS/nixpkgs/pull/262022), [PR](https://github.com/NixOS/nixpkgs/pull/262713), [PR](https://github.com/NixOS/nixpkgs/pull/262718), [PR](https://github.com/NixOS/nixpkgs/pull/262738)]* | +| [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) | go | 7.5 | 1.17.13-linux-am | 1.21.3 | 1.21.4 | *[[PR](https://github.com/NixOS/nixpkgs/pull/259329), [PR](https://github.com/NixOS/nixpkgs/pull/262022), [PR](https://github.com/NixOS/nixpkgs/pull/262713), [PR](https://github.com/NixOS/nixpkgs/pull/262718), [PR](https://github.com/NixOS/nixpkgs/pull/262738)]* | +| [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | go | 7.5 | 1.20.7 | 1.21.3 | 1.21.4 | *[[PR](https://github.com/NixOS/nixpkgs/pull/259329), [PR](https://github.com/NixOS/nixpkgs/pull/262713), [PR](https://github.com/NixOS/nixpkgs/pull/266176)]* | +| [CVE-2023-38039](https://nvd.nist.gov/vuln/detail/CVE-2023-38039) | curl | 7.5 | 8.1.1 | 8.4.0 | 8.4.0.4 | *[[PR](https://github.com/NixOS/nixpkgs/pull/254962), [PR](https://github.com/NixOS/nixpkgs/pull/254963), [PR](https://github.com/NixOS/nixpkgs/pull/260378)]* | +| [CVE-2023-35945](https://nvd.nist.gov/vuln/detail/CVE-2023-35945) | nghttp2 | 7.5 | 1.51.0 | 1.57.0 | 1.58.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/219712), [PR](https://github.com/NixOS/nixpkgs/pull/246068), [PR](https://github.com/NixOS/nixpkgs/pull/265047)]* | +| [CVE-2023-5344](https://nvd.nist.gov/vuln/detail/CVE-2023-5344) | vim | 7.5 | 9.0.1441 | 9.0.1897 | 9.0.2092 | | +| [CVE-2023-5156](https://nvd.nist.gov/vuln/detail/CVE-2023-5156) | glibc | 7.5 | 2.37-8 | | | | +| [CVE-2023-4236](https://nvd.nist.gov/vuln/detail/CVE-2023-4236) | bind | 7.5 | 9.18.16 | 9.18.19 | 9.18.19 | *[[PR](https://github.com/NixOS/nixpkgs/pull/256396), [PR](https://github.com/NixOS/nixpkgs/pull/256469)]* | +| [CVE-2023-3354](https://nvd.nist.gov/vuln/detail/CVE-2023-3354) | qemu | 7.5 | 8.0.4 | 8.1.2 | 8.1.2 | Fixed in 8.0.4: [link](https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/251036). *[[PR](https://github.com/NixOS/nixpkgs/pull/248659), [PR](https://github.com/NixOS/nixpkgs/pull/261753)]* | +| [CVE-2023-3341](https://nvd.nist.gov/vuln/detail/CVE-2023-3341) | bind | 7.5 | 9.18.16 | 9.18.19 | 9.18.19 | *[[PR](https://github.com/NixOS/nixpkgs/pull/256396), [PR](https://github.com/NixOS/nixpkgs/pull/256469)]* | +| [CVE-2022-43357](https://nvd.nist.gov/vuln/detail/CVE-2022-43357) | sassc | 7.5 | 3.6.2 | 3.6.2 | 3.6.2 | *[[PR](https://github.com/NixOS/nixpkgs/pull/264177)]* | +| [CVE-2023-25584](https://nvd.nist.gov/vuln/detail/CVE-2023-25584) | binutils | 7.1 | 2.40 | 2.40 | 2.41 | | +| [CVE-2023-45322](https://nvd.nist.gov/vuln/detail/CVE-2023-45322) | libxml2 | 6.5 | 2.10.4 | 2.11.5 | 2.11.5 | | +| [CVE-2023-41175](https://nvd.nist.gov/vuln/detail/CVE-2023-41175) | libtiff | 6.5 | 4.5.1 | 4.5.1 | 4.6.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/261791), [PR](https://github.com/NixOS/nixpkgs/pull/264613)]* | +| [CVE-2023-40745](https://nvd.nist.gov/vuln/detail/CVE-2023-40745) | libtiff | 6.5 | 4.5.1 | 4.5.1 | 4.6.0 | *[[PR](https://github.com/NixOS/nixpkgs/pull/261791), [PR](https://github.com/NixOS/nixpkgs/pull/264613)]* | +| [CVE-2023-38858](https://nvd.nist.gov/vuln/detail/CVE-2023-38858) | faad2 | 6.5 | 2.10.1 | 2.10.1 | 2.11.0 | | +| [CVE-2023-37769](https://nvd.nist.gov/vuln/detail/CVE-2023-37769) | pixman | 6.5 | 0.42.2 | 0.42.2 | 0.42.2 | See: [link](https://gitlab.freedesktop.org/pixman/pixman/-/issues/76): "This somehow got assigned CVE-2023-37769, not sure why NVD keeps assigning CVEs like this. This is just a test executable". | +| [CVE-2023-4527](https://nvd.nist.gov/vuln/detail/CVE-2023-4527) | glibc | 6.5 | 2.37-8 | | | *[[PR](https://github.com/NixOS/nixpkgs/pull/256887)]* | +| [CVE-2023-4135](https://nvd.nist.gov/vuln/detail/CVE-2023-4135) | qemu | 6.5 | 8.0.4 | 8.1.2 | 8.1.2 | Fixed upstream in 8.1.0. *[[PR](https://github.com/NixOS/nixpkgs/pull/261753)]* | +| [CVE-2023-3180](https://nvd.nist.gov/vuln/detail/CVE-2023-3180) | qemu | 6.5 | 8.0.4 | 8.1.2 | 8.1.2 | Fixed in 8.0.4: [link](https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f). Nixpkgs PR: [link](https://github.com/NixOS/nixpkgs/pull/251036). *[[PR](https://github.com/NixOS/nixpkgs/pull/248659), [PR](https://github.com/NixOS/nixpkgs/pull/261753)]* | +| [CVE-2023-3019](https://nvd.nist.gov/vuln/detail/CVE-2023-3019) | qemu | 6.5 | 8.0.4 | 8.1.2 | 8.1.2 | Revisit when fixed upstream: [link](https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html). | +| [CVE-2021-46312](https://nvd.nist.gov/vuln/detail/CVE-2021-46312) | djvulibre | 6.5 | 3.5.28 | 3.5.28 | 3.5.28 | | +| [CVE-2021-46310](https://nvd.nist.gov/vuln/detail/CVE-2021-46310) | djvulibre | 6.5 | 3.5.28 | 3.5.28 | 3.5.28 | | +| [CVE-2023-39319](https://nvd.nist.gov/vuln/detail/CVE-2023-39319) | go | 6.1 | 1.20.7 | 1.21.3 | 1.21.4 | *[[PR](https://github.com/NixOS/nixpkgs/pull/259329), [PR](https://github.com/NixOS/nixpkgs/pull/266176)]* | +| [CVE-2023-39319](https://nvd.nist.gov/vuln/detail/CVE-2023-39319) | go | 6.1 | 1.17.13-linux-am | 1.21.3 | 1.21.4 | *[[PR](https://github.com/NixOS/nixpkgs/pull/259329), [PR](https://github.com/NixOS/nixpkgs/pull/266176)]* | +| [CVE-2023-39318](https://nvd.nist.gov/vuln/detail/CVE-2023-39318) | go | 6.1 | 1.20.7 | 1.21.3 | 1.21.4 | *[[PR](https://github.com/NixOS/nixpkgs/pull/259329), [PR](https://github.com/NixOS/nixpkgs/pull/266176)]* | +| [CVE-2023-39318](https://nvd.nist.gov/vuln/detail/CVE-2023-39318) | go | 6.1 | 1.17.13-linux-am | 1.21.3 | 1.21.4 | *[[PR](https://github.com/NixOS/nixpkgs/pull/259329), [PR](https://github.com/NixOS/nixpkgs/pull/266176)]* | +| [CVE-2023-46407](https://nvd.nist.gov/vuln/detail/CVE-2023-46407) | ffmpeg | 5.5 | 5.1.3 | 6.0 | 6.0 | | +| [CVE-2023-46407](https://nvd.nist.gov/vuln/detail/CVE-2023-46407) | ffmpeg | 5.5 | 4.4.4 | 6.0 | 6.0 | | +| [CVE-2023-46246](https://nvd.nist.gov/vuln/detail/CVE-2023-46246) | vim | 5.5 | 9.0.1441 | 9.0.1897 | 9.0.2092 | | +| [CVE-2023-43789](https://nvd.nist.gov/vuln/detail/CVE-2023-43789) | libXpm | 5.5 | 3.5.15 | 3.5.17 | 3.5.17 | *[[PR](https://github.com/NixOS/nixpkgs/pull/258841), [PR](https://github.com/NixOS/nixpkgs/pull/258996)]* | +| [CVE-2023-43788](https://nvd.nist.gov/vuln/detail/CVE-2023-43788) | libXpm | 5.5 | 3.5.15 | 3.5.17 | 3.5.17 | | +| [CVE-2023-43786](https://nvd.nist.gov/vuln/detail/CVE-2023-43786) | libX11 | 5.5 | 1.8.6 | 1.8.7 | 1.8.7 | *[[PR](https://github.com/NixOS/nixpkgs/pull/258841), [PR](https://github.com/NixOS/nixpkgs/pull/258996)]* | +| [CVE-2023-43785](https://nvd.nist.gov/vuln/detail/CVE-2023-43785) | libX11 | 5.5 | 1.8.6 | 1.8.7 | 1.8.7 | *[[PR](https://github.com/NixOS/nixpkgs/pull/258841), [PR](https://github.com/NixOS/nixpkgs/pull/258996)]* | +| [CVE-2023-40360](https://nvd.nist.gov/vuln/detail/CVE-2023-40360) | qemu | 5.5 | 8.0.4 | 8.1.2 | 8.1.2 | *[[PR](https://github.com/NixOS/nixpkgs/pull/251154), [PR](https://github.com/NixOS/nixpkgs/pull/261753)]* | +| [CVE-2023-39742](https://nvd.nist.gov/vuln/detail/CVE-2023-39742) | giflib | 5.5 | 5.2.1 | 5.2.1 | 5.2.1 | | +| [CVE-2023-38857](https://nvd.nist.gov/vuln/detail/CVE-2023-38857) | faad2 | 5.5 | 2.10.1 | 2.10.1 | 2.11.0 | | +| [CVE-2023-25588](https://nvd.nist.gov/vuln/detail/CVE-2023-25588) | binutils | 5.5 | 2.40 | 2.40 | 2.41 | | +| [CVE-2023-25586](https://nvd.nist.gov/vuln/detail/CVE-2023-25586) | binutils | 5.5 | 2.40 | 2.40 | 2.41 | | +| [CVE-2023-25585](https://nvd.nist.gov/vuln/detail/CVE-2023-25585) | binutils | 5.5 | 2.40 | 2.40 | 2.41 | | +| [CVE-2023-5441](https://nvd.nist.gov/vuln/detail/CVE-2023-5441) | vim | 5.5 | 9.0.1441 | 9.0.1897 | 9.0.2092 | | +| [CVE-2023-4016](https://nvd.nist.gov/vuln/detail/CVE-2023-4016) | procps | 5.5 | 3.3.17 | | | See: [link](https://gitlab.com/procps-ng/procps/-/issues/297). Notice: repology package name is procps-ng: [link](https://repology.org/project/procps-ng/versions). *[[PR](https://github.com/NixOS/nixpkgs/pull/256065), [PR](https://github.com/NixOS/nixpkgs/pull/256150), [PR](https://github.com/NixOS/nixpkgs/pull/264266)]* | +| [CVE-2023-2609](https://nvd.nist.gov/vuln/detail/CVE-2023-2609) | vim | 5.5 | 9.0.1441 | 9.0.1897 | 9.0.2092 | Backport nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/254666) to 23.05 once it's merged to unstable/staging. *[[PR](https://github.com/NixOS/nixpkgs/pull/254666), [PR](https://github.com/NixOS/nixpkgs/pull/261952)]* | +| [CVE-2023-2426](https://nvd.nist.gov/vuln/detail/CVE-2023-2426) | vim | 5.5 | 9.0.1441 | 9.0.1897 | 9.0.2092 | Backport nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/254666) to 23.05 once it's merged to unstable/staging. *[[PR](https://github.com/NixOS/nixpkgs/pull/254666), [PR](https://github.com/NixOS/nixpkgs/pull/261952)]* | +| [CVE-2020-18781](https://nvd.nist.gov/vuln/detail/CVE-2020-18781) | audiofile | 5.5 | 0.3.6 | 0.3.6 | 0.3.6 | | +| [CVE-2020-2136](https://nvd.nist.gov/vuln/detail/CVE-2020-2136) | git | 5.4 | 2.40.1 | 2.42.0 | 2.42.1 | *[[PR](https://github.com/NixOS/nixpkgs/pull/82872), [PR](https://github.com/NixOS/nixpkgs/pull/84664)]* | +| [CVE-2023-30571](https://nvd.nist.gov/vuln/detail/CVE-2023-30571) | libarchive | 5.3 | 3.6.2 | 3.7.2 | 3.7.2 | No upstream fix available, see: [link](https://github.com/libarchive/libarchive/issues/1876). *[[PR](https://github.com/NixOS/nixpkgs/pull/244713), [PR](https://github.com/NixOS/nixpkgs/pull/256930)]* | +| [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) | go | 5.3 | 1.17.13-linux-am | 1.21.3 | 1.21.4 | See: [link](https://github.com/golang/go/issues/61580), fixed by update to go 1.20.7: nixpkgs PR [link](https://github.com/NixOS/nixpkgs/pull/246663). *[[PR](https://github.com/NixOS/nixpkgs/pull/247034), [PR](https://github.com/NixOS/nixpkgs/pull/259329), [PR](https://github.com/NixOS/nixpkgs/pull/266176)]* | +| [CVE-2023-4039](https://nvd.nist.gov/vuln/detail/CVE-2023-4039) | gcc | 4.8 | 12.2.0 | 12.3.0 | 13.2.0 | | +| [CVE-2023-29383](https://nvd.nist.gov/vuln/detail/CVE-2023-29383) | shadow | 3.3 | 4.13 | 4.14.0 | 4.14.2 | Pending merge for nixpkgs master PR: [link](https://github.com/NixOS/nixpkgs/pull/233924). TODO: consider taking the upstream version update to 4.14 instead: [link](https://github.com/shadow-maint/shadow/releases). *[[PR](https://github.com/NixOS/nixpkgs/pull/254143), [PR](https://github.com/NixOS/nixpkgs/pull/259826)]* | +| [CVE-2023-5752](https://nvd.nist.gov/vuln/detail/CVE-2023-5752) | pip | 3.3 | 23.0.1-source | 23.2.1 | 23.3.1 | | +| [GHSA-j7hp-h8jx-5ppr](https://osv.dev/GHSA-j7hp-h8jx-5ppr) | electron | | 25.7.0 | 27.0.0 | 27.0.3 | | +| [GHSA-qqvq-6xgj-jw8g](https://osv.dev/GHSA-qqvq-6xgj-jw8g) | electron | | 25.7.0 | 27.0.0 | 27.0.3 | | +| [GHSA-w596-4wvx-j9j6](https://osv.dev/GHSA-w596-4wvx-j9j6) | py | | 1.11.0 | 1.11.0 | 1.11.0 | | +| [OSV-2023-877](https://osv.dev/OSV-2023-877) | libbpf | | 1.2.0 | 1.2.2 | 1.2.2 | | +| [OSV-2023-505](https://osv.dev/OSV-2023-505) | file | | 5.44 | 5.45 | 5.45 | Unclear if this is still valid. | +| [OSV-2023-390](https://osv.dev/OSV-2023-390) | qemu | | 8.0.4 | 8.1.2 | 8.1.2 | Unclear if this is still valid. | +| [OSV-2022-908](https://osv.dev/OSV-2022-908) | bluez | | 5.66 | 5.66 | 5.70 | Unclear if this is still valid. | +| [OSV-2022-896](https://osv.dev/OSV-2022-896) | libsass | | 3.6.5 | 3.6.5 | 3.6.5 | Unclear if this is still valid. | +| [OSV-2022-859](https://osv.dev/OSV-2022-859) | bluez | | 5.66 | 5.66 | 5.70 | Unclear if this is still valid. | +| [OSV-2022-842](https://osv.dev/OSV-2022-842) | wolfssl | | 5.5.4 | | | Unclear if this is still valid. | +| [OSV-2022-725](https://osv.dev/OSV-2022-725) | libjxl | | 0.8.2 | 0.8.2 | 0.8.2 | Unclear if this is still valid. | +| [OSV-2022-608](https://osv.dev/OSV-2022-608) | libjxl | | 0.8.2 | 0.8.2 | 0.8.2 | Unclear if this is still valid. | +| [OSV-2022-581](https://osv.dev/OSV-2022-581) | qemu | | 8.0.4 | 8.1.2 | 8.1.2 | Unclear if this is still valid. | +| [OSV-2022-530](https://osv.dev/OSV-2022-530) | espeak-ng | | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2022-519](https://osv.dev/OSV-2022-519) | espeak-ng | | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2022-462](https://osv.dev/OSV-2022-462) | espeak-ng | | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2022-394](https://osv.dev/OSV-2022-394) | opencv | | 4.7.0 | 4.7.0 | 4.8.1 | No attention from upstream: [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47190). | +| [OSV-2022-193](https://osv.dev/OSV-2022-193) | w3m | | 0.5.3+git2023012 | 0.5.3+git2023012 | 0.5.3+git2023012 | Unclear if this is still valid. | +| [OSV-2021-1157](https://osv.dev/OSV-2021-1157) | espeak-ng | | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2021-1141](https://osv.dev/OSV-2021-1141) | espeak-ng | | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2021-1110](https://osv.dev/OSV-2021-1110) | espeak-ng | | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2021-1041](https://osv.dev/OSV-2021-1041) | espeak-ng | | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2021-1024](https://osv.dev/OSV-2021-1024) | espeak-ng | | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2021-802](https://osv.dev/OSV-2021-802) | espeak-ng | | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2021-787](https://osv.dev/OSV-2021-787) | espeak-ng | | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2021-765](https://osv.dev/OSV-2021-765) | espeak-ng | | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | +| [OSV-2021-508](https://osv.dev/OSV-2021-508) | libsass | | 3.6.5 | 3.6.5 | 3.6.5 | Unclear if this is still valid. | +| [OSV-2020-1610](https://osv.dev/OSV-2020-1610) | openexr | | 2.5.8 | 3.2.0 | 3.2.1 | | +| [OSV-2020-1420](https://osv.dev/OSV-2020-1420) | libsass | | 3.6.5 | 3.6.5 | 3.6.5 | | +| [OSV-2020-862](https://osv.dev/OSV-2020-862) | libsass | | 3.6.5 | 3.6.5 | 3.6.5 | | +| [OSV-2020-822](https://osv.dev/OSV-2020-822) | jbig2dec | | 0.19 | 0.19 | 0.20 | | +| [OSV-2020-521](https://osv.dev/OSV-2020-521) | aspell | | 0.60.8 | 0.60.8 | 0.60.8 | | +| [OSV-2020-438](https://osv.dev/OSV-2020-438) | capstone | | 4.0.2 | 4.0.2 | 5.0.1 | | + + + +## Whitelisted Vulnerabilities + +Following table lists vulnerabilities that would otherwise have been included to the report, but were left out due to whitelisting. + +
+Whitelisted vulnerabilities +
+ +| vuln_id | package | severity | version_local | comment | +|-----------------------------------------------------------------------|------------|------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [CVE-2023-41330](https://nvd.nist.gov/vuln/detail/CVE-2023-41330) | snappy | 9.8 | 1.1.10 | Incorrect package: Issue concerns snappy php library: [link](https://github.com/KnpLabs/snappy), whereas, nixpkgs "snappy" refers snappy compression library: [link](https://google.github.io/snappy/). Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2023-29405](https://nvd.nist.gov/vuln/detail/CVE-2023-29405) | go | 9.8 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-29404](https://nvd.nist.gov/vuln/detail/CVE-2023-29404) | go | 9.8 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-29402](https://nvd.nist.gov/vuln/detail/CVE-2023-29402) | go | 9.8 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-28115](https://nvd.nist.gov/vuln/detail/CVE-2023-28115) | snappy | 9.8 | 1.1.10 | Incorrect package: Issue concerns snappy php library: [link](https://github.com/KnpLabs/snappy), whereas, nixpkgs "snappy" refers snappy compression library: [link](https://google.github.io/snappy/). Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2023-24540](https://nvd.nist.gov/vuln/detail/CVE-2023-24540) | go | 9.8 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-24538](https://nvd.nist.gov/vuln/detail/CVE-2023-24538) | go | 9.8 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-28321](https://nvd.nist.gov/vuln/detail/CVE-2022-28321) | linux-pam | 9.8 | 1.5.2 | Only impacts SUSE-specific patch version. Notice: repology package name is pam: [link](https://repology.org/project/pam/versions). | +| [CVE-2021-4336](https://nvd.nist.gov/vuln/detail/CVE-2021-4336) | ninja | 9.8 | 1.11.1 | Incorrect package: nixpkgs 'ninja' refers [link](https://github.com/ninja-build/ninja), not [link](https://github.com/ITRS-Group/monitor-ninja). | +| [CVE-2018-13410](https://nvd.nist.gov/vuln/detail/CVE-2018-13410) | zip | 9.8 | 3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2018-7263](https://nvd.nist.gov/vuln/detail/CVE-2018-7263) | libmad | 9.8 | 0.15.1b | Based on [link](https://github.com/NixOS/nixpkgs/issues/57154), issue is fixed by [link](https://github.com/NixOS/nixpkgs/commit/92edb0610923fab5a9dcc59b94652f1e8a5ea1ed). | +| [CVE-2016-10141](https://nvd.nist.gov/vuln/detail/CVE-2016-10141) | mujs | 9.8 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-10133](https://nvd.nist.gov/vuln/detail/CVE-2016-10133) | mujs | 9.8 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-7504](https://nvd.nist.gov/vuln/detail/CVE-2016-7504) | mujs | 9.8 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2022-36882](https://nvd.nist.gov/vuln/detail/CVE-2022-36882) | git | 8.8 | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-36073](https://nvd.nist.gov/vuln/detail/CVE-2022-36073) | rubygems | 8.8 | 3.4.13 | Latest impacted version in 3.x is 3.0.4. | +| [CVE-2022-26592](https://nvd.nist.gov/vuln/detail/CVE-2022-26592) | libsass | 8.8 | 3.6.5 | Pending upstream fix: [link](https://github.com/sass/libsass/issues/3174). | +| [CVE-2021-23169](https://nvd.nist.gov/vuln/detail/CVE-2021-23169) | openexr | 8.8 | 2.5.8 | False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR [link](https://github.com/AcademySoftwareFoundation/openexr/pull/1040) which went to 2.5.7. | +| [CVE-2018-6553](https://nvd.nist.gov/vuln/detail/CVE-2018-6553) | cups | 8.8 | 2.4.7 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2018-6553](https://nvd.nist.gov/vuln/detail/CVE-2018-6553) | cups | 8.8 | 2.4.6 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2017-5436](https://nvd.nist.gov/vuln/detail/CVE-2017-5436) | graphite2 | 8.8 | 1.3.14 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2023-31486](https://nvd.nist.gov/vuln/detail/CVE-2023-31486) | perl | 8.1 | 5.36.0-env | Fixed upstream with [link](https://github.com/chansen/p5-http-tiny/pull/153) and nixpkgs patched the issue already in 08/2022 with [link](https://github.com/NixOS/nixpkgs/pull/187480). | +| [CVE-2023-31486](https://nvd.nist.gov/vuln/detail/CVE-2023-31486) | perl | 8.1 | 5.36.0 | Fixed upstream with [link](https://github.com/chansen/p5-http-tiny/pull/153) and nixpkgs patched the issue already in 08/2022 with [link](https://github.com/NixOS/nixpkgs/pull/187480). | +| [CVE-2022-48434](https://nvd.nist.gov/vuln/detail/CVE-2022-48434) | ffmpeg | 8.1 | 4.4.4 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.3 [link](https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db). | +| [CVE-2022-3965](https://nvd.nist.gov/vuln/detail/CVE-2022-3965) | ffmpeg | 8.1 | 5.1.3 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 5.1.x is merged in 5.1.3 [link](https://github.com/FFmpeg/FFmpeg/commit/7c234248f859baa35e55c3dbbb7a359eae1c5257). | +| [CVE-2022-3964](https://nvd.nist.gov/vuln/detail/CVE-2022-3964) | ffmpeg | 8.1 | 5.1.3 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 [link](https://github.com/FFmpeg/FFmpeg/commit/ad28b01a141703b831256b712e0613281b15fcf0). | +| [CVE-2022-3964](https://nvd.nist.gov/vuln/detail/CVE-2022-3964) | ffmpeg | 8.1 | 4.4.4 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 [link](https://github.com/FFmpeg/FFmpeg/commit/ad28b01a141703b831256b712e0613281b15fcf0). | +| [CVE-2019-14586](https://nvd.nist.gov/vuln/detail/CVE-2019-14586) | edk2 | 8 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2023-29403](https://nvd.nist.gov/vuln/detail/CVE-2023-29403) | go | 7.8 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2021-30499](https://nvd.nist.gov/vuln/detail/CVE-2021-30499) | libcaca | 7.8 | 0.99.beta20 | NVD data issue: CPE entry does not correctly state the version numbers. Issue is fixed in v0.99.beta20: [link](https://github.com/cacalabs/libcaca/releases/tag/v0.99.beta20). | +| [CVE-2021-26720](https://nvd.nist.gov/vuln/detail/CVE-2021-26720) | avahi | 7.8 | 0.8 | False positive: issue refers avahi-daemon-check-dns.sh in the Debian avahi package. As such, the issue is specific to Debian and its derivatives. | +| [CVE-2019-14575](https://nvd.nist.gov/vuln/detail/CVE-2019-14575) | edk2 | 7.8 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-14563](https://nvd.nist.gov/vuln/detail/CVE-2019-14563) | edk2 | 7.8 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2017-5628](https://nvd.nist.gov/vuln/detail/CVE-2017-5628) | mujs | 7.8 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2017-5627](https://nvd.nist.gov/vuln/detail/CVE-2017-5627) | mujs | 7.8 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-2226](https://nvd.nist.gov/vuln/detail/CVE-2016-2226) | libiberty | 7.8 | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2023-24537](https://nvd.nist.gov/vuln/detail/CVE-2023-24537) | go | 7.5 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-24536](https://nvd.nist.gov/vuln/detail/CVE-2023-24536) | go | 7.5 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-24534](https://nvd.nist.gov/vuln/detail/CVE-2023-24534) | go | 7.5 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-42969](https://nvd.nist.gov/vuln/detail/CVE-2022-42969) | py | 7.5 | 1.11.0 | Disputed upstream: [link](https://github.com/pytest-dev/py/issues/287#issuecomment-1283567565). | +| [CVE-2022-41725](https://nvd.nist.gov/vuln/detail/CVE-2022-41725) | go | 7.5 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41724](https://nvd.nist.gov/vuln/detail/CVE-2022-41724) | go | 7.5 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41723](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) | go | 7.5 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41722](https://nvd.nist.gov/vuln/detail/CVE-2022-41722) | go | 7.5 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41720](https://nvd.nist.gov/vuln/detail/CVE-2022-41720) | go | 7.5 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41716](https://nvd.nist.gov/vuln/detail/CVE-2022-41716) | go | 7.5 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41715](https://nvd.nist.gov/vuln/detail/CVE-2022-41715) | go | 7.5 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-36883](https://nvd.nist.gov/vuln/detail/CVE-2022-36883) | git | 7.5 | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-30947](https://nvd.nist.gov/vuln/detail/CVE-2022-30947) | git | 7.5 | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-27664](https://nvd.nist.gov/vuln/detail/CVE-2022-27664) | go | 7.5 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-3109](https://nvd.nist.gov/vuln/detail/CVE-2022-3109) | ffmpeg | 7.5 | 4.4.4 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 [link](https://github.com/FFmpeg/FFmpeg/commit/4d82b7bac42c9d35d4f9f145a85e6cbc1fe914f2). | +| [CVE-2022-2880](https://nvd.nist.gov/vuln/detail/CVE-2022-2880) | go | 7.5 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-2879](https://nvd.nist.gov/vuln/detail/CVE-2022-2879) | go | 7.5 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2021-33506](https://nvd.nist.gov/vuln/detail/CVE-2021-33506) | jitsi-meet | 7.5 | 1.0.6943 | Fixed in nixpkgs as mentioned in [link](https://github.com/NixOS/nixpkgs/issues/132134#issuecomment-890319135). | +| [CVE-2019-14559](https://nvd.nist.gov/vuln/detail/CVE-2019-14559) | edk2 | 7.5 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-6470](https://nvd.nist.gov/vuln/detail/CVE-2019-6470) | bind | 7.5 | 9.18.19 | Not valid: [link](https://github.com/NixOS/nixpkgs/issues/73617#issuecomment-569491606). | +| [CVE-2019-6470](https://nvd.nist.gov/vuln/detail/CVE-2019-6470) | bind | 7.5 | 9.18.16 | Not valid: [link](https://github.com/NixOS/nixpkgs/issues/73617#issuecomment-569491606). | +| [CVE-2016-10132](https://nvd.nist.gov/vuln/detail/CVE-2016-10132) | mujs | 7.5 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-9294](https://nvd.nist.gov/vuln/detail/CVE-2016-9294) | mujs | 7.5 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-9136](https://nvd.nist.gov/vuln/detail/CVE-2016-9136) | mujs | 7.5 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-9109](https://nvd.nist.gov/vuln/detail/CVE-2016-9109) | mujs | 7.5 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-9108](https://nvd.nist.gov/vuln/detail/CVE-2016-9108) | mujs | 7.5 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-9017](https://nvd.nist.gov/vuln/detail/CVE-2016-9017) | mujs | 7.5 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-7564](https://nvd.nist.gov/vuln/detail/CVE-2016-7564) | mujs | 7.5 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-7563](https://nvd.nist.gov/vuln/detail/CVE-2016-7563) | mujs | 7.5 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-7506](https://nvd.nist.gov/vuln/detail/CVE-2016-7506) | mujs | 7.5 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-6131](https://nvd.nist.gov/vuln/detail/CVE-2016-6131) | libiberty | 7.5 | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2023-29400](https://nvd.nist.gov/vuln/detail/CVE-2023-29400) | go | 7.3 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-24539](https://nvd.nist.gov/vuln/detail/CVE-2023-24539) | go | 7.3 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2019-12749](https://nvd.nist.gov/vuln/detail/CVE-2019-12749) | dbus | 7.1 | 1 | Fixed with [link](https://github.com/NixOS/nixpkgs/pull/63021) (dbus version '1' in nixpkgs currently refers 1.14.8). | +| [CVE-2014-4860](https://nvd.nist.gov/vuln/detail/CVE-2014-4860) | edk2 | 6.8 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2014-4859](https://nvd.nist.gov/vuln/detail/CVE-2014-4859) | edk2 | 6.8 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2022-26691](https://nvd.nist.gov/vuln/detail/CVE-2022-26691) | cups | 6.7 | 2.4.7 | Fixed in nixpkgs with PR: [link](https://github.com/NixOS/nixpkgs/pull/174898). | +| [CVE-2022-26691](https://nvd.nist.gov/vuln/detail/CVE-2022-26691) | cups | 6.7 | 2.4.6 | Fixed in nixpkgs with PR: [link](https://github.com/NixOS/nixpkgs/pull/174898). | +| [CVE-2023-29406](https://nvd.nist.gov/vuln/detail/CVE-2023-29406) | go | 6.5 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2023-3603](https://nvd.nist.gov/vuln/detail/CVE-2023-3603) | libssh | 6.5 | 0.10.5 | Based on [link](https://security-tracker.debian.org/tracker/CVE-2023-3603) and [link](https://bugzilla.redhat.com/show_bug.cgi?id=2221791), vulnerable code is not present in 0.10.5 or any currently released version. | +| [CVE-2022-38663](https://nvd.nist.gov/vuln/detail/CVE-2022-38663) | git | 6.5 | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-37416](https://nvd.nist.gov/vuln/detail/CVE-2022-37416) | libmpeg2 | 6.5 | 0.5.1 | NVD data issue: concerns Android only. | +| [CVE-2022-0856](https://nvd.nist.gov/vuln/detail/CVE-2022-0856) | libcaca | 6.5 | 0.99.beta20 | Crash in CLI tool, no security impact. | +| [CVE-2020-24490](https://nvd.nist.gov/vuln/detail/CVE-2020-24490) | bluez | 6.5 | 5.66 | Fixed in linux kernel (5.8) with: [link](https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=a2ec905d1e160a33b2e210e45ad30445ef26ce0e). | +| [CVE-2019-14900](https://nvd.nist.gov/vuln/detail/CVE-2019-14900) | fuse | 6.5 | 3.11.0 | Incorrect package: Issue concerns redhat fuse ([link](https://developers.redhat.com/products/fuse/overview)) not libfuse [link](https://github.com/libfuse/libfuse/) which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. | +| [CVE-2019-14900](https://nvd.nist.gov/vuln/detail/CVE-2019-14900) | fuse | 6.5 | 2.9.9-closefrom- | Incorrect package: Issue concerns redhat fuse ([link](https://developers.redhat.com/products/fuse/overview)) not libfuse [link](https://github.com/libfuse/libfuse/) which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. | +| [CVE-2019-14900](https://nvd.nist.gov/vuln/detail/CVE-2019-14900) | fuse | 6.5 | 2.9.9 | Incorrect package: Issue concerns redhat fuse ([link](https://developers.redhat.com/products/fuse/overview)) not libfuse [link](https://github.com/libfuse/libfuse/) which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. | +| [CVE-2019-14860](https://nvd.nist.gov/vuln/detail/CVE-2019-14860) | fuse | 6.5 | 3.11.0 | Incorrect package: Issue concerns redhat fuse ([link](https://developers.redhat.com/products/fuse/overview)) not libfuse [link](https://github.com/libfuse/libfuse/) which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. | +| [CVE-2019-14860](https://nvd.nist.gov/vuln/detail/CVE-2019-14860) | fuse | 6.5 | 2.9.9-closefrom- | Incorrect package: Issue concerns redhat fuse ([link](https://developers.redhat.com/products/fuse/overview)) not libfuse [link](https://github.com/libfuse/libfuse/) which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. | +| [CVE-2019-14860](https://nvd.nist.gov/vuln/detail/CVE-2019-14860) | fuse | 6.5 | 2.9.9 | Incorrect package: Issue concerns redhat fuse ([link](https://developers.redhat.com/products/fuse/overview)) not libfuse [link](https://github.com/libfuse/libfuse/) which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. | +| [CVE-2019-14587](https://nvd.nist.gov/vuln/detail/CVE-2019-14587) | edk2 | 6.5 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-12067](https://nvd.nist.gov/vuln/detail/CVE-2019-12067) | qemu | 6.5 | 8.0.5 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-12067](https://nvd.nist.gov/vuln/detail/CVE-2019-12067) | qemu | 6.5 | 8.0.4 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-6462](https://nvd.nist.gov/vuln/detail/CVE-2019-6462) | cairo | 6.5 | 1.16.0 | Not a valid: [link](https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129). | +| [CVE-2019-6461](https://nvd.nist.gov/vuln/detail/CVE-2019-6461) | cairo | 6.5 | 1.16.0 | Not valid: [link](https://github.com/NixOS/nixpkgs/pull/218039#issuecomment-1445460129). | +| [CVE-2016-2781](https://nvd.nist.gov/vuln/detail/CVE-2016-2781) | coreutils | 6.5 | 9.1 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2018-1000182](https://nvd.nist.gov/vuln/detail/CVE-2018-1000182) | git | 6.4 | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2021-39205](https://nvd.nist.gov/vuln/detail/CVE-2021-39205) | jitsi-meet | 6.1 | 1.0.6943 | Does not impact the version in nixpkgs as mentioned in [link](https://github.com/NixOS/nixpkgs/issues/142979#issuecomment-964291845). | +| [CVE-2021-21684](https://nvd.nist.gov/vuln/detail/CVE-2021-21684) | git | 6.1 | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2023-31974](https://nvd.nist.gov/vuln/detail/CVE-2023-31974) | yasm | 5.5 | 1.3.0 | Crash in CLI tool, no security impact. | +| [CVE-2023-31973](https://nvd.nist.gov/vuln/detail/CVE-2023-31973) | yasm | 5.5 | 1.3.0 | Crash in CLI tool, no security impact. | +| [CVE-2023-31972](https://nvd.nist.gov/vuln/detail/CVE-2023-31972) | yasm | 5.5 | 1.3.0 | Crash in CLI tool, no security impact. | +| [CVE-2023-30402](https://nvd.nist.gov/vuln/detail/CVE-2023-30402) | yasm | 5.5 | 1.3.0 | Crash in CLI tool, no security impact. | +| [CVE-2021-33468](https://nvd.nist.gov/vuln/detail/CVE-2021-33468) | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33467](https://nvd.nist.gov/vuln/detail/CVE-2021-33467) | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33466](https://nvd.nist.gov/vuln/detail/CVE-2021-33466) | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33465](https://nvd.nist.gov/vuln/detail/CVE-2021-33465) | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33464](https://nvd.nist.gov/vuln/detail/CVE-2021-33464) | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33463](https://nvd.nist.gov/vuln/detail/CVE-2021-33463) | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33462](https://nvd.nist.gov/vuln/detail/CVE-2021-33462) | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33461](https://nvd.nist.gov/vuln/detail/CVE-2021-33461) | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33460](https://nvd.nist.gov/vuln/detail/CVE-2021-33460) | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33459](https://nvd.nist.gov/vuln/detail/CVE-2021-33459) | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33458](https://nvd.nist.gov/vuln/detail/CVE-2021-33458) | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33457](https://nvd.nist.gov/vuln/detail/CVE-2021-33457) | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33456](https://nvd.nist.gov/vuln/detail/CVE-2021-33456) | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33455](https://nvd.nist.gov/vuln/detail/CVE-2021-33455) | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-33454](https://nvd.nist.gov/vuln/detail/CVE-2021-33454) | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. | +| [CVE-2021-26945](https://nvd.nist.gov/vuln/detail/CVE-2021-26945) | openexr | 5.5 | 2.5.8 | Fix patch [link](https://github.com/AcademySoftwareFoundation/openexr/pull/930/commits/b73ec53bd24ba116d7bf48ebdc868301c596706e) modifies a file that is not available in openexr 2. Thus, the fix doesn't apply to 2.5.8. | +| [CVE-2021-26260](https://nvd.nist.gov/vuln/detail/CVE-2021-26260) | openexr | 5.5 | 2.5.8 | False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR [link](https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d) which went to 2.5.5. | +| [CVE-2021-23215](https://nvd.nist.gov/vuln/detail/CVE-2021-23215) | openexr | 5.5 | 2.5.8 | False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR [link](https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d) which went to 2.5.5. | +| [CVE-2021-20255](https://nvd.nist.gov/vuln/detail/CVE-2021-20255) | qemu | 5.5 | 8.0.5 | Upstream patch not merged: [link](https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html). No point fixing this in nixpkgs as long as it is not fixed upstream. | +| [CVE-2021-20255](https://nvd.nist.gov/vuln/detail/CVE-2021-20255) | qemu | 5.5 | 8.0.4 | Upstream patch not merged: [link](https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html). No point fixing this in nixpkgs as long as it is not fixed upstream. | +| [CVE-2021-3605](https://nvd.nist.gov/vuln/detail/CVE-2021-3605) | openexr | 5.5 | 2.5.8 | False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR [link](https://github.com/AcademySoftwareFoundation/openexr/pull/1040) which went to 2.5.7. | +| [CVE-2021-3598](https://nvd.nist.gov/vuln/detail/CVE-2021-3598) | openexr | 5.5 | 2.5.8 | False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR [link](https://github.com/AcademySoftwareFoundation/openexr/pull/1040) which went to 2.5.7. | +| [CVE-2019-20633](https://nvd.nist.gov/vuln/detail/CVE-2019-20633) | patch | 5.5 | 2.7.6 | Upstream patch is not merged: [link](https://savannah.gnu.org/bugs/index.php?56683). Not sure why this isn't fixed upstream. No point fixing this in nixpkgs as long as it is not fixed upstream. | +| [CVE-2019-14562](https://nvd.nist.gov/vuln/detail/CVE-2019-14562) | edk2 | 5.5 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-6293](https://nvd.nist.gov/vuln/detail/CVE-2019-6293) | flex | 5.5 | 2.6.4 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2018-18438](https://nvd.nist.gov/vuln/detail/CVE-2018-18438) | qemu | 5.5 | 8.0.5 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2018-18438](https://nvd.nist.gov/vuln/detail/CVE-2018-18438) | qemu | 5.5 | 8.0.4 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4493](https://nvd.nist.gov/vuln/detail/CVE-2016-4493) | libiberty | 5.5 | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4491](https://nvd.nist.gov/vuln/detail/CVE-2016-4491) | libiberty | 5.5 | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4490](https://nvd.nist.gov/vuln/detail/CVE-2016-4490) | libiberty | 5.5 | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4489](https://nvd.nist.gov/vuln/detail/CVE-2016-4489) | libiberty | 5.5 | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4488](https://nvd.nist.gov/vuln/detail/CVE-2016-4488) | libiberty | 5.5 | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4487](https://nvd.nist.gov/vuln/detail/CVE-2016-4487) | libiberty | 5.5 | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2015-7313](https://nvd.nist.gov/vuln/detail/CVE-2015-7313) | libtiff | 5.5 | 4.5.1 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2023-24532](https://nvd.nist.gov/vuln/detail/CVE-2023-24532) | go | 5.3 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-41717](https://nvd.nist.gov/vuln/detail/CVE-2022-41717) | go | 5.3 | 1.17.13-linux-am | See the discussion in: [link](https://github.com/NixOS/nixpkgs/pull/241776). | +| [CVE-2022-36884](https://nvd.nist.gov/vuln/detail/CVE-2022-36884) | git | 5.3 | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-30949](https://nvd.nist.gov/vuln/detail/CVE-2022-30949) | git | 5.3 | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2022-3341](https://nvd.nist.gov/vuln/detail/CVE-2022-3341) | ffmpeg | 5.3 | 4.4.4 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 [link](https://github.com/FFmpeg/FFmpeg/commit/c513bd48039a718dabf6d7a829efb6732693c04b). | +| [CVE-2020-16194](https://nvd.nist.gov/vuln/detail/CVE-2020-16194) | quote | 5.3 | 1.0.33 | Incorrect package: Issue concerns prestashop product: [link](https://prestashop.com/), whereas, nixpkgs "quote" refers rust package 'quote': [link](https://docs.rs/quote/latest/quote/). | +| [CVE-2020-16194](https://nvd.nist.gov/vuln/detail/CVE-2020-16194) | quote | 5.3 | 1.0.21 | Incorrect package: Issue concerns prestashop product: [link](https://prestashop.com/), whereas, nixpkgs "quote" refers rust package 'quote': [link](https://docs.rs/quote/latest/quote/). | +| [CVE-2020-16194](https://nvd.nist.gov/vuln/detail/CVE-2020-16194) | quote | 5.3 | 1.0.20 | Incorrect package: Issue concerns prestashop product: [link](https://prestashop.com/), whereas, nixpkgs "quote" refers rust package 'quote': [link](https://docs.rs/quote/latest/quote/). | +| [CVE-2018-1000110](https://nvd.nist.gov/vuln/detail/CVE-2018-1000110) | git | 5.3 | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2019-14553](https://nvd.nist.gov/vuln/detail/CVE-2019-14553) | edk2 | 4.9 | 202211 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2016-4492](https://nvd.nist.gov/vuln/detail/CVE-2016-4492) | libiberty | 4.4 | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2019-1003010](https://nvd.nist.gov/vuln/detail/CVE-2019-1003010) | git | 4.3 | 2.40.1 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: [link](https://github.com/nix-community/vulnix/blob/f56f3ac857626171b95e51d98cb6874278f789d3/src/vulnix/vulnerability.py#L90-L96). | +| [CVE-2023-31975](https://nvd.nist.gov/vuln/detail/CVE-2023-31975) | yasm | 3.3 | 1.3.0 | Memory leak in CLI tool, no security impact. | +| [CVE-2022-3219](https://nvd.nist.gov/vuln/detail/CVE-2022-3219) | gnupg | 3.3 | 2.4.0 | Fix patch is not accepted upstream: [link](https://dev.gnupg.org/D556). | +| [CVE-2021-4217](https://nvd.nist.gov/vuln/detail/CVE-2021-4217) | unzip | 3.3 | 6.0 | Ignored by other distribution as 'no security impact', e.g. Debian: [link](https://security-tracker.debian.org/tracker/CVE-2021-4217). | +| [GHSA-6898-wx94-8jq8](https://osv.dev/GHSA-6898-wx94-8jq8) | libnotify | | 0.8.2 | Incorrect package: Issue refers node-libnotify [link](https://github.com/mytrile/node-libnotify), whereas nixpkgs refers gnome-libnotify [link](https://gitlab.gnome.org/GNOME/libnotify). | +| [GHSA-wrrj-h57r-vx9p](https://osv.dev/GHSA-wrrj-h57r-vx9p) | cargo | | 1.69.0 | Duplicate to CVE-2023-40030. | +| [OSV-2023-137](https://osv.dev/OSV-2023-137) | harfbuzz | | 7.2.0 | Based on [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56510#c2), the issue is fixed in range [link](https://github.com/harfbuzz/harfbuzz/compare/67e01c1292821e7b6fc2ab13acddb84ab41b2187...60841e26187576bff477c1a09ee2ffe544844abc) all of which have been merged in 7.1.0. | +| [PYSEC-2022-42969](https://osv.dev/PYSEC-2022-42969) | py | | 1.11.0 | Same as CVE-2022-42969. | +| [MAL-2022-4301](https://osv.dev/MAL-2022-4301) | libidn2 | | 2.3.4 | Incorrect package: Issue refers npm libidn2, whereas, nixpkgs refers libidn2 [link](https://gitlab.com/libidn/libidn2). | +| [OSV-2022-1193](https://osv.dev/OSV-2022-1193) | libarchive | | 3.6.2 | Fixed based on [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53594#c3). | +| [OSV-2022-416](https://osv.dev/OSV-2022-416) | openjpeg | | 2.5.0 | Fixed based on [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47500#c2). | +| [OSV-2022-183](https://osv.dev/OSV-2022-183) | binutils | | 2.40 | Fixed based on [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44864#c2). | +| [GHSA-mc7w-4cjf-c973](https://osv.dev/GHSA-mc7w-4cjf-c973) | opencv | | 4.7.0 | Incorrect package: Issue refers node-opencv, whereas, nixpkgs refers opencv [link](https://github.com/opencv/opencv). | +| [OSV-2021-820](https://osv.dev/OSV-2021-820) | qemu | | 8.0.5 | Fixed based on [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34831#c2). | +| [OSV-2021-820](https://osv.dev/OSV-2021-820) | qemu | | 8.0.4 | Fixed based on [link](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34831#c2). | +| [OSV-2021-777](https://osv.dev/OSV-2021-777) | libxml2 | | 2.10.4 | Fixed by [link](https://gitlab.gnome.org/GNOME/libxml2/-/commit/8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325), which went to 2.9.13. Therefore, this issue is fixed in 2.10.4. | +| [GHSA-f698-m2v9-5fh3](https://osv.dev/GHSA-f698-m2v9-5fh3) | opencv | | 4.7.0 | Incorrect package: issue refers node-opencv [link](https://www.npmjs.com/package/opencv), whereas nixpkgs refers [link](https://github.com/opencv/opencv). | +| [CVE-2014-9157](https://nvd.nist.gov/vuln/detail/CVE-2014-9157) | graphviz | | 7.1.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2012-3509](https://nvd.nist.gov/vuln/detail/CVE-2012-3509) | libiberty | | 12.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | +| [CVE-2010-4226](https://nvd.nist.gov/vuln/detail/CVE-2010-4226) | cpio | | 2.14 | NVD data issue: concerns OpenSuSE, not cpio. | + +