Skip to content

[automatic] Publish 5 advisories for 7 packages #207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[automatic] Publish 5 advisories for 7 packages #207

wants to merge 1 commit into from

Conversation

@jlsec-bot
Copy link
Contributor

This action searched --project=zlib, checking 13 (+0) advisories from NVD and 0 (+3) from EUVD for advisories that pertain here. It identified 5 advisories as being related to the Julia package(s): Zlib_jll, Openresty_jll, GCCBootstrap_jll, CURL_jll, LibCURL_jll, boost_jll, and Python_jll.

3 advisories apply to all registered versions of a package

These advisories had no obvious failures but computed a range without bounds.

  • CVE-2018-25032 for packages: Python_jll, Zlib_jll, Openresty_jll, and GCCBootstrap_jll
    • Python_jll computed ["< 3.10.7+0"]. Its latest version (3.11.12+0) has components: {"python:idle" = "3.11.12", python = "3.11.12"}
    • Zlib_jll computed ["< 1.2.12+3"]. Its latest version (1.3.1+2) has components: {zlib = "1.3.1"}
    • MariaDB_Connector_C_jll has no vulnerable versions; some versions contain vulnerable mariadb:mariadb. Its latest version (3.3.9+0) has components: {mariadb-connector-c = "3.3.9"}
    • Openresty_jll computed ["< 1.21.4+0"]. Its latest version (1.27.1+0) has components: {openresty = "1.27.1.1", openssl = "3.0.15", pcre = "8.45", zlib = "1.3.1"}
    • GCCBootstrap_jll computed ["*"]. Its latest version (9.4.0+0) has components: {mingw-w64-headers = "9.0.0", gettext = "0.21", crosstool-ng = "1.25.0_rc1", isl = "0.24", gmp = "6.2.1", gnumpc = "1.2.1", zlib = "1.2.11", libiconv = "1.16", mpfr = "4.1.0", musl = "1.2.2"}
      • zlib:zlib at >= 1.2.2.2, < 1.2.12 includes all versions
  • CVE-2022-37434 for packages: Zlib_jll, Openresty_jll, and GCCBootstrap_jll
    • Zlib_jll computed ["< 1.2.13+0"]. Its latest version (1.3.1+2) has components: {zlib = "1.3.1"}
    • Openresty_jll computed ["< 1.27.1+0"]. Its latest version (1.27.1+0) has components: {openresty = "1.27.1.1", openssl = "3.0.15", pcre = "8.45", zlib = "1.3.1"}
    • GCCBootstrap_jll computed ["*"]. Its latest version (9.4.0+0) has components: {mingw-w64-headers = "9.0.0", gettext = "0.21", crosstool-ng = "1.25.0_rc1", isl = "0.24", gmp = "6.2.1", gnumpc = "1.2.1", zlib = "1.2.11", libiconv = "1.16", mpfr = "4.1.0", musl = "1.2.2"}
      • zlib:zlib at <= 1.2.12 includes all versions
  • CVE-2023-45853 for packages: Zlib_jll, Openresty_jll, and GCCBootstrap_jll
    • Zlib_jll computed ["< 1.3.1+0"]. Its latest version (1.3.1+2) has components: {zlib = "1.3.1"}
    • Openresty_jll computed ["< 1.27.1+0"]. Its latest version (1.27.1+0) has components: {openresty = "1.27.1.1", openssl = "3.0.15", pcre = "8.45", zlib = "1.3.1"}
    • GCCBootstrap_jll computed ["*"]. Its latest version (9.4.0+0) has components: {mingw-w64-headers = "9.0.0", gettext = "0.21", crosstool-ng = "1.25.0_rc1", isl = "0.24", gmp = "6.2.1", gnumpc = "1.2.1", zlib = "1.2.11", libiconv = "1.16", mpfr = "4.1.0", musl = "1.2.2"}
      • zlib:zlib at < 1.3.1 includes all versions

2 advisories found concrete vulnerable ranges

  • CVE-2016-9840 for packages: boost_jll
    • GCCBootstrap_jll has no vulnerable versions; some versions contain vulnerable zlib:zlib. Its latest version (9.4.0+0) has components: {mingw-w64-headers = "9.0.0", gettext = "0.21", crosstool-ng = "1.25.0_rc1", isl = "0.24", gmp = "6.2.1", gnumpc = "1.2.1", zlib = "1.2.11", libiconv = "1.16", mpfr = "4.1.0", musl = "1.2.2"}
    • libnode_jll has no vulnerable versions; some versions contain vulnerable nodejs:node.js. Its latest version (18.12.1+0) has components: {node-v = "18.12.1", nodejs = "18.12.1"}
    • Zlib_jll has no vulnerable versions; some versions contain vulnerable zlib:zlib. Its latest version (1.3.1+2) has components: {zlib = "1.3.1"}
    • Openresty_jll has no vulnerable versions; some versions contain vulnerable zlib:zlib. Its latest version (1.27.1+0) has components: {openresty = "1.27.1.1", openssl = "3.0.15", pcre = "8.45", zlib = "1.3.1"}
    • boost_jll computed ["< 1.79.0+0"]. Its latest version (1.87.0+0) has components: {boost = "1.87.0"}
  • CVE-2025-0725 for packages: CURL_jll, and LibCURL_jll
    • CURL_jll computed ["< 8.13.0+0"]. Its latest version (8.16.0+0) has components: {curl = "8.16.0"}
    • LibCURL_jll computed ["< 8.12.0+0"]. Its latest version (8.16.0+0) has components: {curl = "8.16.0"}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jlsec-bot @mbauman