Mon Oct 16 10:28:51 2023 UTC ()

Fix pattern for protobuf-c CVE-2022-33070 (applies to <=1.4.0).


(he)

diff -r1.47 -r1.48 pkgsrc/doc/pkg-vulnerabilities

--- pkgsrc/doc/pkg-vulnerabilities 2023/10/14 09:40:47 1.47
+++ pkgsrc/doc/pkg-vulnerabilities 2023/10/16 10:28:51 1.48

 @@ -1,14 +1,14 @@
-# $NetBSD: pkg-vulnerabilities,v 1.47 2023/10/14 09:40:47 wiz Exp $
+# $NetBSD: pkg-vulnerabilities,v 1.48 2023/10/16 10:28:51 he Exp $
+#
 #FORMAT 1.0.0
+#
 # Please read "Handling packages with security problems" in the pkgsrc
 # guide before editing this file.
+#
 # Note: NEVER remove entries from this file; this should document *all*
 # known package vulnerabilities so it is entirely appropriate to have
 # multiple entries in this file for a single package, and to contain
 # entries for packages which have been removed from pkgsrc.
+#
 # New entries should be added at the end of this file.
+#
 @@ -23585,27 +23585,27 @@ php81-mysql<8.1.7	remote-code-execution
 php{56,74,80,81}-nextcloud<23.0.3	security-bypass		https://nvd.nist.gov/vuln/detail/CVE-2022-29163
 php{56,74,80,81}-nextcloud<23.0.4	denial-of-service	https://nvd.nist.gov/vuln/detail/CVE-2022-29243
 php{56,74,80,81}-owncloud<10.10.0	sensitive-information-disclosure	https://nvd.nist.gov/vuln/detail/CVE-2022-31649
 php74-pgsql<7.4.30	remote-code-execution	https://nvd.nist.gov/vuln/detail/CVE-2022-31625
 php80-pgsql<8.0.20	remote-code-execution	https://nvd.nist.gov/vuln/detail/CVE-2022-31625
 php81-pgsql<8.1.7	remote-code-execution	https://nvd.nist.gov/vuln/detail/CVE-2022-31625
 php{56,74,80,81}-piwigo<2.10.0	sql-injection	https://nvd.nist.gov/vuln/detail/CVE-2020-19212
 php{56,74,80,81}-piwigo<2.10.0	sql-injection	https://nvd.nist.gov/vuln/detail/CVE-2020-19213
 php{56,74,80,81}-piwigo<2.10.0	sql-injection	https://nvd.nist.gov/vuln/detail/CVE-2020-19215
 php{56,74,80,81}-piwigo<2.10.0	sql-injection	https://nvd.nist.gov/vuln/detail/CVE-2021-40317
 php{56,74,80,81}-piwigo-[0-9]*	cross-site-scripting	https://nvd.nist.gov/vuln/detail/CVE-2021-40678
 pidgin<2.14.9	man-in-the-middle-attack	https://nvd.nist.gov/vuln/detail/CVE-2022-26491
 poppler<22.04.0	denial-of-service	https://nvd.nist.gov/vuln/detail/CVE-2022-27337
-protobuf-c-[0-9]*	denial-of-service	https://nvd.nist.gov/vuln/detail/CVE-2022-33070
+protobuf-c<=1.4.0	denial-of-service	https://nvd.nist.gov/vuln/detail/CVE-2022-33070
 py{27,36,37,38,39,310}-JWT<2.4.0	security-bypass		https://nvd.nist.gov/vuln/detail/CVE-2022-29217
 py{27,36,37,38,39,310}-Pillow<9.1.1	heap-overflow		https://nvd.nist.gov/vuln/detail/CVE-2022-30595
 py{27,36,37,38,39,310}-aiohttp-[0-9]*	denial-of-service	https://nvd.nist.gov/vuln/detail/CVE-2022-33124
 py{27,36,37,38,39,310}-bottle<0.12.20	unspecified		https://nvd.nist.gov/vuln/detail/CVE-2022-31799
 py{27,36,37,38,39,310}-cookiecutter<2.1.1	shell-command-injection	https://nvd.nist.gov/vuln/detail/CVE-2022-24065
 py{27,36,37,38,39,310}-flower-[0-9]*	authentication-bypass	https://nvd.nist.gov/vuln/detail/CVE-2022-30034
 py{27,36,37,38,39,310}-ldap3<3.4.0	denial-of-service	https://nvd.nist.gov/vuln/detail/CVE-2021-46823
 py{27,36,37,38,39,310}-notebook<6.4.12	information-disclosure	https://nvd.nist.gov/vuln/detail/CVE-2022-29238
 py{27,36,37,38,39,310}-octoprint<1.8.0	cross-site-scripting	https://nvd.nist.gov/vuln/detail/CVE-2022-1430
 py{27,36,37,38,39,310}-octoprint<1.8.0	cross-site-scripting	https://nvd.nist.gov/vuln/detail/CVE-2022-1432
 py{27,36,37,38,39,310}-waitress>=2.1.0<2.1.2	denial-of-service	https://nvd.nist.gov/vuln/detail/CVE-2022-31015
 qemu<7.0.0	denial-of-service		https://nvd.nist.gov/vuln/detail/CVE-2021-3750
 radare2<5.5.4	null-pointer-dereference	https://nvd.nist.gov/vuln/detail/CVE-2021-44974