Mon Apr 8 06:06:36 2024 UTC (48d)
doc: add some upper bounds


(wiz)
diff -r1.163 -r1.164 pkgsrc/doc/pkg-vulnerabilities
cvs diff -r1.163 -r1.164 pkgsrc/doc/pkg-vulnerabilities (expand / switch to unified diff)

--- pkgsrc/doc/pkg-vulnerabilities 2024/04/07 21:36:33 1.163
+++ pkgsrc/doc/pkg-vulnerabilities 2024/04/08 06:06:36 1.164
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1# $NetBSD: pkg-vulnerabilities,v 1.163 2024/04/07 21:36:33 wiz Exp $ 1# $NetBSD: pkg-vulnerabilities,v 1.164 2024/04/08 06:06:36 wiz Exp $
2# 2#
3#FORMAT 1.0.0 3#FORMAT 1.0.0
4# 4#
5# Please read "Handling packages with security problems" in the pkgsrc 5# Please read "Handling packages with security problems" in the pkgsrc
6# guide before editing this file. 6# guide before editing this file.
7# 7#
8# Note: NEVER remove entries from this file; this should document *all* 8# Note: NEVER remove entries from this file; this should document *all*
9# known package vulnerabilities so it is entirely appropriate to have 9# known package vulnerabilities so it is entirely appropriate to have
10# multiple entries in this file for a single package, and to contain 10# multiple entries in this file for a single package, and to contain
11# entries for packages which have been removed from pkgsrc. 11# entries for packages which have been removed from pkgsrc.
12# 12#
13# New entries should be added at the end of this file. 13# New entries should be added at the end of this file.
14# 14#
@@ -16626,27 +16626,27 @@ bind>=9.10<9.10.4pl8 denial-of-service h @@ -16626,27 +16626,27 @@ bind>=9.10<9.10.4pl8 denial-of-service h
16626bind>=9.11<9.11.0pl5 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2017-3138 16626bind>=9.11<9.11.0pl5 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2017-3138
16627bind>=9.12<9.12.1pl1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2018-5736 16627bind>=9.12<9.12.1pl1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2018-5736
16628bind>=9.12<9.12.1pl2 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2018-5737 16628bind>=9.12<9.12.1pl2 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2018-5737
16629bind>=9.9<9.9.13pl1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2018-5740 16629bind>=9.9<9.9.13pl1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2018-5740
16630bind>=9.10<9.10.8pl1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2018-5740 16630bind>=9.10<9.10.8pl1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2018-5740
16631bind>=9.11<9.11.4pl1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2018-5740 16631bind>=9.11<9.11.4pl1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2018-5740
16632bind>=9.12<9.12.2pl1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2018-5740 16632bind>=9.12<9.12.2pl1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2018-5740
16633bind>=9.11<9.11.5 invalid-validation https://nvd.nist.gov/vuln/detail/CVE-2018-5741 16633bind>=9.11<9.11.5 invalid-validation https://nvd.nist.gov/vuln/detail/CVE-2018-5741
16634bind>=9.12<9.12.3 invalid-validation https://nvd.nist.gov/vuln/detail/CVE-2018-5741 16634bind>=9.12<9.12.3 invalid-validation https://nvd.nist.gov/vuln/detail/CVE-2018-5741
16635cacti<1.2.0 cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2018-20723 16635cacti<1.2.0 cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2018-20723
16636cacti<1.2.0 cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2018-20724 16636cacti<1.2.0 cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2018-20724
16637cacti<1.2.0 cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2018-20725 16637cacti<1.2.0 cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2018-20725
16638cacti<1.2.0 cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2018-20726 16638cacti<1.2.0 cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2018-20726
16639cairo-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2019-6461 16639cairo<1.18.0 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2019-6461
16640cairo<1.16.0nb8 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2019-6462 16640cairo<1.16.0nb8 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2019-6462
16641py{27,34,35,36,37,38}-numpy-[0-9]* arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2019-6446 16641py{27,34,35,36,37,38}-numpy-[0-9]* arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2019-6446
16642php{56,70,71,72}-drupal>=7<7.62 unspecified https://www.drupal.org/SA-CORE-2019-001 16642php{56,70,71,72}-drupal>=7<7.62 unspecified https://www.drupal.org/SA-CORE-2019-001
16643php{56,70,71,72}-drupal>=8<8.6.6 unspecified https://www.drupal.org/SA-CORE-2019-001 16643php{56,70,71,72}-drupal>=8<8.6.6 unspecified https://www.drupal.org/SA-CORE-2019-001
16644php{56,70,71,72}-drupal>=7<7.62 arbitrary-code-execution https://www.drupal.org/SA-CORE-2019-002 16644php{56,70,71,72}-drupal>=7<7.62 arbitrary-code-execution https://www.drupal.org/SA-CORE-2019-002
16645php{56,70,71,72}-drupal>=8<8.6.6 arbitrary-code-execution https://www.drupal.org/SA-CORE-2019-002 16645php{56,70,71,72}-drupal>=8<8.6.6 arbitrary-code-execution https://www.drupal.org/SA-CORE-2019-002
16646jenkins-lts<2.150.2 multiple-vulnerabilities https://jenkins.io/security/advisory/2019-01-16/ 16646jenkins-lts<2.150.2 multiple-vulnerabilities https://jenkins.io/security/advisory/2019-01-16/
16647jenkins<2.160 multiple-vulnerabilities https://jenkins.io/security/advisory/2019-01-16/ 16647jenkins<2.160 multiple-vulnerabilities https://jenkins.io/security/advisory/2019-01-16/
16648mysql-client>=5.5<5.5.62nb1 information-disclosure https://gwillem.gitlab.io/2019/01/20/sites-hacked-via-mysql-protocal-flaw/ 16648mysql-client>=5.5<5.5.62nb1 information-disclosure https://gwillem.gitlab.io/2019/01/20/sites-hacked-via-mysql-protocal-flaw/
16649mysql-client>=5.6<5.6.42nb1 information-disclosure https://gwillem.gitlab.io/2019/01/20/sites-hacked-via-mysql-protocal-flaw/ 16649mysql-client>=5.6<5.6.42nb1 information-disclosure https://gwillem.gitlab.io/2019/01/20/sites-hacked-via-mysql-protocal-flaw/
16650mysql-client>=5.7<5.7.24nb2 information-disclosure https://gwillem.gitlab.io/2019/01/20/sites-hacked-via-mysql-protocal-flaw/ 16650mysql-client>=5.7<5.7.24nb2 information-disclosure https://gwillem.gitlab.io/2019/01/20/sites-hacked-via-mysql-protocal-flaw/
16651pdns-recursor>=4.1.0<4.1.9 access-bypass https://nvd.nist.gov/vuln/detail/CVE-2019-3806 16651pdns-recursor>=4.1.0<4.1.9 access-bypass https://nvd.nist.gov/vuln/detail/CVE-2019-3806
16652pdns-recursor>=4.1.0<4.1.9 invalid-validation https://nvd.nist.gov/vuln/detail/CVE-2019-3807 16652pdns-recursor>=4.1.0<4.1.9 invalid-validation https://nvd.nist.gov/vuln/detail/CVE-2019-3807
@@ -25126,31 +25126,29 @@ curl>=7.13<8.00 authentication-bypass ht @@ -25126,31 +25126,29 @@ curl>=7.13<8.00 authentication-bypass ht
25126curl>=7.22<8.00 authentication-bypass https://nvd.nist.gov/vuln/detail/CVE-2023-27536 25126curl>=7.22<8.00 authentication-bypass https://nvd.nist.gov/vuln/detail/CVE-2023-27536
25127curl>=7.88<8.00 double-free https://nvd.nist.gov/vuln/detail/CVE-2023-27537 25127curl>=7.88<8.00 double-free https://nvd.nist.gov/vuln/detail/CVE-2023-27537
25128curl>=7.16.1<8.00 authentication-bypass https://nvd.nist.gov/vuln/detail/CVE-2023-27538 25128curl>=7.16.1<8.00 authentication-bypass https://nvd.nist.gov/vuln/detail/CVE-2023-27538
25129redis>=7.0.8<7.0.10 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-28425 25129redis>=7.0.8<7.0.10 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-28425
25130openssl<1.1.1tnb1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-0464 25130openssl<1.1.1tnb1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-0464
25131modular-xorg-server<21.1.7nb1 use-after-free https://nvd.nist.gov/vuln/detail/CVE-2023-1393 25131modular-xorg-server<21.1.7nb1 use-after-free https://nvd.nist.gov/vuln/detail/CVE-2023-1393
25132irssi<1.4.4 use-after-free https://nvd.nist.gov/vuln/detail/CVE-2023-29132 25132irssi<1.4.4 use-after-free https://nvd.nist.gov/vuln/detail/CVE-2023-29132
25133pcre-[0-9]* eol http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages 25133pcre-[0-9]* eol http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/eol-packages
25134ghostscript-gpl<10.01.1 remote-code-execution https://nvd.nist.gov/vuln/detail/CVE-2023-28879 25134ghostscript-gpl<10.01.1 remote-code-execution https://nvd.nist.gov/vuln/detail/CVE-2023-28879
25135ghostscript-agpl<10.01.1 remote-code-execution https://nvd.nist.gov/vuln/detail/CVE-2023-28879 25135ghostscript-agpl<10.01.1 remote-code-execution https://nvd.nist.gov/vuln/detail/CVE-2023-28879
25136git-base<2.40.1 arbitrary-file-write https://nvd.nist.gov/vuln/detail/CVE-2023-25652 25136git-base<2.40.1 arbitrary-file-write https://nvd.nist.gov/vuln/detail/CVE-2023-25652
25137git-base<2.40.1 arbitrary-messages https://nvd.nist.gov/vuln/detail/CVE-2023-25815 25137git-base<2.40.1 arbitrary-messages https://nvd.nist.gov/vuln/detail/CVE-2023-25815
25138git-base<2.40.1 configuration-misinterpretation https://nvd.nist.gov/vuln/detail/CVE-2023-29007 25138git-base<2.40.1 configuration-misinterpretation https://nvd.nist.gov/vuln/detail/CVE-2023-29007
25139# CPAN up to and including 2.34 25139perl<5.38.0 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2023-31484
25140perl-[0-9]* sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2023-31484 
25141p5-GitLab-API-v4-[0-9]* sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2023-31485 25140p5-GitLab-API-v4-[0-9]* sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2023-31485
25142# HTTP::Tiny up to and including 0.082, part of perl 25141perl<5.38.0 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2023-31486
25143perl-[0-9]* sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2023-31486 
25144py{36,37,38,39,310,311}-django>=3.2<3.2.19 input-validation https://nvd.nist.gov/vuln/detail/CVE-2023-31047 25142py{36,37,38,39,310,311}-django>=3.2<3.2.19 input-validation https://nvd.nist.gov/vuln/detail/CVE-2023-31047
25145py{36,37,38,39,310,311}-django>=4.1<4.1.9 input-validation https://nvd.nist.gov/vuln/detail/CVE-2023-31047 25143py{36,37,38,39,310,311}-django>=4.1<4.1.9 input-validation https://nvd.nist.gov/vuln/detail/CVE-2023-31047
25146py{36,37,38,39,310,311}-django>=4.2<4.2.1 input-validation https://nvd.nist.gov/vuln/detail/CVE-2023-31047 25144py{36,37,38,39,310,311}-django>=4.2<4.2.1 input-validation https://nvd.nist.gov/vuln/detail/CVE-2023-31047
25147libssh<0.105 debial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-1667 25145libssh<0.105 debial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-1667
25148libssh<0.105 unauthorized-access https://nvd.nist.gov/vuln/detail/CVE-2023-2283 25146libssh<0.105 unauthorized-access https://nvd.nist.gov/vuln/detail/CVE-2023-2283
25149curl>=7.81.0<8.1.0 use-after-free https://nvd.nist.gov/vuln/detail/CVE-2023-28319 25147curl>=7.81.0<8.1.0 use-after-free https://nvd.nist.gov/vuln/detail/CVE-2023-28319
25150curl>=7.9.8<8.1.0 improper-synchronization https://nvd.nist.gov/vuln/detail/CVE-2023-28320 25148curl>=7.9.8<8.1.0 improper-synchronization https://nvd.nist.gov/vuln/detail/CVE-2023-28320
25151curl>=7.12.0<8.1.0 improper-certificate-validation https://nvd.nist.gov/vuln/detail/CVE-2023-28321 25149curl>=7.12.0<8.1.0 improper-certificate-validation https://nvd.nist.gov/vuln/detail/CVE-2023-28321
25152curl>=7.7<8.1.0 expected-behavior-violation https://nvd.nist.gov/vuln/detail/CVE-2023-28322 25150curl>=7.7<8.1.0 expected-behavior-violation https://nvd.nist.gov/vuln/detail/CVE-2023-28322
25153cups-filters<1.28.18 remote-code-execution https://nvd.nist.gov/vuln/detail/CVE-2023-24805 25151cups-filters<1.28.18 remote-code-execution https://nvd.nist.gov/vuln/detail/CVE-2023-24805
25154libcares<1.19.1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-32067 25152libcares<1.19.1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-32067
25155libcares<1.19.1 lack-of-entropy https://nvd.nist.gov/vuln/detail/CVE-2023-31124 25153libcares<1.19.1 lack-of-entropy https://nvd.nist.gov/vuln/detail/CVE-2023-31124
25156libcares<1.19.1 buffer-underflow https://nvd.nist.gov/vuln/detail/CVE-2023-31130 25154libcares<1.19.1 buffer-underflow https://nvd.nist.gov/vuln/detail/CVE-2023-31130
@@ -25431,28 +25429,30 @@ wireshark<4.0.6 denial-of-service https: @@ -25431,28 +25429,30 @@ wireshark<4.0.6 denial-of-service https:
25431wireshark<4.0.6 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-2856 25429wireshark<4.0.6 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-2856
25432wireshark<4.0.6 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-2855 25430wireshark<4.0.6 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-2855
25433wireshark<4.0.6 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-2854 25431wireshark<4.0.6 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-2854
25434wireshark<4.0.6 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-2952 25432wireshark<4.0.6 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-2952
25435wireshark<4.0.6 code-execution https://nvd.nist.gov/vuln/detail/CVE-2023-0667 25433wireshark<4.0.6 code-execution https://nvd.nist.gov/vuln/detail/CVE-2023-0667
25436wireshark>=4<4.0.6 code-execution https://nvd.nist.gov/vuln/detail/CVE-2023-0666 25434wireshark>=4<4.0.6 code-execution https://nvd.nist.gov/vuln/detail/CVE-2023-0666
25437wireshark<4.0.6 code-execution https://nvd.nist.gov/vuln/detail/CVE-2023-0668 25435wireshark<4.0.6 code-execution https://nvd.nist.gov/vuln/detail/CVE-2023-0668
25438wireshark-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-3649 25436wireshark-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-3649
25439wireshark-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-3648 25437wireshark-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-3648
25440wireshark<4.0.8 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-4513 25438wireshark<4.0.8 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-4513
25441wireshark-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-4512 25439wireshark-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-4512
25442wireshark<4.0.8 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-4511 25440wireshark<4.0.8 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-4511
25443wireshark-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-5371 25441wireshark-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-5371
25444w3m-[0-9]* out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2023-38252 25442w3m<0.5.3.0.20230121nb4 out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2023-38252
25445w3m-[0-9]* out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2023-38253 25443w3m-img<0.5.3.0.20230121nb2 out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2023-38252
 25444w3m<0.5.3.0.20230121nb4 out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2023-38253
 25445w3m-img<0.5.3.0.20230121nb2 out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2023-38253
25446vsftpd-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2021-30047 25446vsftpd-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2021-30047
25447vorbis-tools-[0-9]* buffer-overflow https://nvd.nist.gov/vuln/detail/CVE-2023-43361 25447vorbis-tools-[0-9]* buffer-overflow https://nvd.nist.gov/vuln/detail/CVE-2023-43361
25448matrix-synapse<1.74.0 security-bypass https://nvd.nist.gov/vuln/detail/CVE-2023-32323 25448matrix-synapse<1.74.0 security-bypass https://nvd.nist.gov/vuln/detail/CVE-2023-32323
25449matrix-synapse>=1.62.0<1.68.0 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2022-39374 25449matrix-synapse>=1.62.0<1.68.0 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2022-39374
25450matrix-synapse<1.69.0 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2022-39335 25450matrix-synapse<1.69.0 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2022-39335
25451matrix-synapse<1.85.0 security-bypass https://nvd.nist.gov/vuln/detail/CVE-2023-32682 25451matrix-synapse<1.85.0 security-bypass https://nvd.nist.gov/vuln/detail/CVE-2023-32682
25452matrix-synapse<1.85.0 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2023-32683 25452matrix-synapse<1.85.0 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2023-32683
25453matrix-synapse>=1.66.0<1.93.0 security-bypass https://nvd.nist.gov/vuln/detail/CVE-2023-41335 25453matrix-synapse>=1.66.0<1.93.0 security-bypass https://nvd.nist.gov/vuln/detail/CVE-2023-41335
25454matrix-synapse>=1.34.0<1.93.0 security-bypass https://nvd.nist.gov/vuln/detail/CVE-2023-42453 25454matrix-synapse>=1.34.0<1.93.0 security-bypass https://nvd.nist.gov/vuln/detail/CVE-2023-42453
25455freerdp2<2.11.0 buffer-overflow https://nvd.nist.gov/vuln/detail/CVE-2023-40589 25455freerdp2<2.11.0 buffer-overflow https://nvd.nist.gov/vuln/detail/CVE-2023-40589
25456freerdp2<2.11.0 out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2023-40569 25456freerdp2<2.11.0 out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2023-40569
25457freerdp2<2.11.0 out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2023-40188 25457freerdp2<2.11.0 out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2023-40188
25458freerdp2<2.11.0 out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2023-40567 25458freerdp2<2.11.0 out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2023-40567