Tue Feb 13 13:59:36 2024 UTC (103d)
Add the two new entries for unbound:

  CVE-2023-50387, DNSSEC verification complexity can be exploited to
  exhaust CPU resources and stall DNS resolvers.
and
  CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.

Nist doesn't have those yet, so use cve.mitre.org (even though
they are only "candidate CVEs" there at the time of this commit.


(he)
diff -r1.124 -r1.125 pkgsrc/doc/pkg-vulnerabilities
cvs diff -r1.124 -r1.125 pkgsrc/doc/pkg-vulnerabilities (expand / switch to unified diff)

--- pkgsrc/doc/pkg-vulnerabilities 2024/02/12 08:54:31 1.124
+++ pkgsrc/doc/pkg-vulnerabilities 2024/02/13 13:59:36 1.125
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1# $NetBSD: pkg-vulnerabilities,v 1.124 2024/02/12 08:54:31 wiz Exp $ 1# $NetBSD: pkg-vulnerabilities,v 1.125 2024/02/13 13:59:36 he Exp $
2# 2#
3#FORMAT 1.0.0 3#FORMAT 1.0.0
4# 4#
5# Please read "Handling packages with security problems" in the pkgsrc 5# Please read "Handling packages with security problems" in the pkgsrc
6# guide before editing this file. 6# guide before editing this file.
7# 7#
8# Note: NEVER remove entries from this file; this should document *all* 8# Note: NEVER remove entries from this file; this should document *all*
9# known package vulnerabilities so it is entirely appropriate to have 9# known package vulnerabilities so it is entirely appropriate to have
10# multiple entries in this file for a single package, and to contain 10# multiple entries in this file for a single package, and to contain
11# entries for packages which have been removed from pkgsrc. 11# entries for packages which have been removed from pkgsrc.
12# 12#
13# New entries should be added at the end of this file. 13# New entries should be added at the end of this file.
14# 14#
@@ -25870,13 +25870,15 @@ graphviz<10 out-of-bounds-read https://n @@ -25870,13 +25870,15 @@ graphviz<10 out-of-bounds-read https://n
25870expat<2.6.0 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-52425 25870expat<2.6.0 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-52425
25871expat<2.6.0 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-52426 25871expat<2.6.0 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-52426
25872webkit-gtk<2.42.5 arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2024-23222 25872webkit-gtk<2.42.5 arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2024-23222
25873py{27,37,38,39,310,311,312}-django>=3.2<3.2.24 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2024-24680 25873py{27,37,38,39,310,311,312}-django>=3.2<3.2.24 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2024-24680
25874py{27,37,38,39,310,311,312}-django>=4.1<4.2 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2024-24680 25874py{27,37,38,39,310,311,312}-django>=4.1<4.2 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2024-24680
25875py{27,37,38,39,310,311,312}-django>=4.2<4.2.10 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2024-24680 25875py{27,37,38,39,310,311,312}-django>=4.2<4.2.10 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2024-24680
25876libuv>=1.24.0<1.48 address-check-bypass https://nvd.nist.gov/vuln/detail/CVE-2024-24806 25876libuv>=1.24.0<1.48 address-check-bypass https://nvd.nist.gov/vuln/detail/CVE-2024-24806
25877postgresql-server>=12<12.18 arbitrary-command-execution https://nvd.nist.gov/vuln/detail/CVE-2024-0985 25877postgresql-server>=12<12.18 arbitrary-command-execution https://nvd.nist.gov/vuln/detail/CVE-2024-0985
25878postgresql-server>=13<13.14 arbitrary-command-execution https://nvd.nist.gov/vuln/detail/CVE-2024-0985 25878postgresql-server>=13<13.14 arbitrary-command-execution https://nvd.nist.gov/vuln/detail/CVE-2024-0985
25879postgresql-server>=14<14.11 arbitrary-command-execution https://nvd.nist.gov/vuln/detail/CVE-2024-0985 25879postgresql-server>=14<14.11 arbitrary-command-execution https://nvd.nist.gov/vuln/detail/CVE-2024-0985
25880postgresql-server>=15<15.6 arbitrary-command-execution https://nvd.nist.gov/vuln/detail/CVE-2024-0985 25880postgresql-server>=15<15.6 arbitrary-command-execution https://nvd.nist.gov/vuln/detail/CVE-2024-0985
25881postgresql-server>=16<16.2 arbitrary-command-execution https://nvd.nist.gov/vuln/detail/CVE-2024-0985 25881postgresql-server>=16<16.2 arbitrary-command-execution https://nvd.nist.gov/vuln/detail/CVE-2024-0985
25882asterisk-13.* eol http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages 25882asterisk-13.* eol http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
 25883unbound<1.19.1 denial-of-service https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387
 25884unbound<1.19.1 denial-of-service https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868