Sun Dec 24 12:47:46 2023 UTC (155d)
Add vulnerability entries for the recent Go vulns

This is for all the ones I found with a quick scan with govulncheck,
modulo those that are fixed already.


(bsiegert)
diff -r1.97 -r1.98 pkgsrc/doc/pkg-vulnerabilities
cvs diff -r1.97 -r1.98 pkgsrc/doc/pkg-vulnerabilities (expand / switch to unified diff)

--- pkgsrc/doc/pkg-vulnerabilities 2023/12/24 09:53:03 1.97
+++ pkgsrc/doc/pkg-vulnerabilities 2023/12/24 12:47:46 1.98
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1# $NetBSD: pkg-vulnerabilities,v 1.97 2023/12/24 09:53:03 wiz Exp $ 1# $NetBSD: pkg-vulnerabilities,v 1.98 2023/12/24 12:47:46 bsiegert Exp $
2# 2#
3#FORMAT 1.0.0 3#FORMAT 1.0.0
4# 4#
5# Please read "Handling packages with security problems" in the pkgsrc 5# Please read "Handling packages with security problems" in the pkgsrc
6# guide before editing this file. 6# guide before editing this file.
7# 7#
8# Note: NEVER remove entries from this file; this should document *all* 8# Note: NEVER remove entries from this file; this should document *all*
9# known package vulnerabilities so it is entirely appropriate to have 9# known package vulnerabilities so it is entirely appropriate to have
10# multiple entries in this file for a single package, and to contain 10# multiple entries in this file for a single package, and to contain
11# entries for packages which have been removed from pkgsrc. 11# entries for packages which have been removed from pkgsrc.
12# 12#
13# New entries should be added at the end of this file. 13# New entries should be added at the end of this file.
14# 14#
@@ -25817,13 +25817,28 @@ proftpd<1.3.8b extension-negotiation-dow @@ -25817,13 +25817,28 @@ proftpd<1.3.8b extension-negotiation-dow
25817dropbear<2022.83nb1 extension-negotiation-downgrade https://nvd.nist.gov/vuln/detail/CVE-2023-48795 25817dropbear<2022.83nb1 extension-negotiation-downgrade https://nvd.nist.gov/vuln/detail/CVE-2023-48795
25818erlang<26.2.1 extension-negotiation-downgrade https://nvd.nist.gov/vuln/detail/CVE-2023-48795 25818erlang<26.2.1 extension-negotiation-downgrade https://nvd.nist.gov/vuln/detail/CVE-2023-48795
25819libssh2<1.11.0nb2 extension-negotiation-downgrade https://nvd.nist.gov/vuln/detail/CVE-2023-48795 25819libssh2<1.11.0nb2 extension-negotiation-downgrade https://nvd.nist.gov/vuln/detail/CVE-2023-48795
25820postfix<3.8.4 email-spoofing https://nvd.nist.gov/vuln/detail/CVE-2023-51764 25820postfix<3.8.4 email-spoofing https://nvd.nist.gov/vuln/detail/CVE-2023-51764
25821mysqld_exporter<0.15.1 auth-bypass https://pkg.go.dev/vuln/GO-2022-1130 25821mysqld_exporter<0.15.1 auth-bypass https://pkg.go.dev/vuln/GO-2022-1130
25822mysqld_exporter<0.15.1 denial-of-service https://pkg.go.dev/vuln/GO-2023-1571 25822mysqld_exporter<0.15.1 denial-of-service https://pkg.go.dev/vuln/GO-2023-1571
25823postgres_exporter<0.15.0 auth-bypass https://pkg.go.dev/vuln/GO-2022-1130 25823postgres_exporter<0.15.0 auth-bypass https://pkg.go.dev/vuln/GO-2022-1130
25824postgres_exporter<0.15.0 denial-of-service https://pkg.go.dev/vuln/GO-2023-1571 25824postgres_exporter<0.15.0 denial-of-service https://pkg.go.dev/vuln/GO-2023-1571
25825git-lfs<3.4.1 denial-of-service https://pkg.go.dev/vuln/GO-2023-1571 25825git-lfs<3.4.1 denial-of-service https://pkg.go.dev/vuln/GO-2023-1571
25826exim-[0-9]* email-spoofing https://nvd.nist.gov/vuln/detail/CVE-2023-51766 25826exim-[0-9]* email-spoofing https://nvd.nist.gov/vuln/detail/CVE-2023-51766
25827nuclei<3.1.3 man-in-the-middle https://pkg.go.dev/vuln/GO-2023-2402 25827nuclei<3.1.3 man-in-the-middle https://pkg.go.dev/vuln/GO-2023-2402
25828glow<1.5.1 man-in-the-middle https://pkg.go.dev/vuln/GO-2023-2402 25828glow<1.5.1 man-in-the-middle https://pkg.go.dev/vuln/GO-2023-2402
25829sendmail-[0-9]* email-spoofing https://nvd.nist.gov/vuln/detail/CVE-CVE-2023-51765 25829sendmail-[0-9]* email-spoofing https://nvd.nist.gov/vuln/detail/CVE-CVE-2023-51765
 25830packer<1.9.5 man-in-the-middle https://pkg.go.dev/vuln/GO-2023-2402
 25831ssh-chat-[0-9]* man-in-the-middle https://pkg.go.dev/vuln/GO-2023-2402
 25832influxdb-[0-9]* denial-of-service https://pkg.go.dev/vuln/GO-2023-1571
 25833lazygit-[0-9]* man-in-the-middle https://pkg.go.dev/vuln/GO-2023-2402
 25834amfora-[0-9]* infinite-loop https://pkg.go.dev/vuln/GO-2021-0238
 25835hub-[0-9]* denial-of-service https://pkg.go.dev/vuln/GO-2021-0061
 25836nats-server-[0-9]* permissions-checking https://pkg.go.dev/vuln/GO-2022-0386
 25837obfs4proxy-[0-9]* denial-of-service https://pkg.go.dev/vuln/GO-2023-1571
 25838terraform-provider-aws-[0-9]* denial-of-service https://pkg.go.dev/vuln/GO-2023-2153
 25839terraform-provider-aws-[0-9]* denial-of-service https://pkg.go.dev/vuln/GO-2023-1571
 25840authelia-[0-9]* path-traversal https://pkg.go.dev/vuln/GO-2022-0355
 25841authelia-[0-9]* out-of-bounds-read https://pkg.go.dev/vuln/GO-2021-0113
 25842apisprout-[0-9]* denial-of-service https://pkg.go.dev/vuln/GO-2021-0061
 25843gitea-[0-9]* man-in-the-middle https://pkg.go.dev/vuln/GO-2023-2402
 25844gitea-[0-9]* improper-rendering https://pkg.go.dev/vuln/GO-2023-1988