From nobody Sun Apr 23 16:53:57 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q4Dr51Rngz4693c for ; Sun, 23 Apr 2023 16:54:13 +0000 (UTC) (envelope-from hubert.tournier@gmail.com) Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Q4Dr41wdXz4VP6 for ; Sun, 23 Apr 2023 16:54:12 +0000 (UTC) (envelope-from hubert.tournier@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20221208 header.b=iiNAy9hb; spf=pass (mx1.freebsd.org: domain of hubert.tournier@gmail.com designates 2a00:1450:4864:20::32d as permitted sender) smtp.mailfrom=hubert.tournier@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-wm1-x32d.google.com with SMTP id 5b1f17b1804b1-3f1957e80a2so53540775e9.1 for ; Sun, 23 Apr 2023 09:54:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1682268848; x=1684860848; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=fhzGSWuWBPfLdefK4vwFlyXS7bWNqRbohVryC6ddWsg=; b=iiNAy9hbdQxEVHiYes3nRM3o2+9b2gQH8PPG28p5YrgFwM2ROzooSj6P21LMUTpr0J 6Hug2oGtV2VCJLnoEB99WXqXlFNECdzmvpSPyp4+zKbecqfKmCCaOZ7TZv5t7xEirsAq RrQs8ILfLuLJ1ChW0ijEHZg7ru2xkrj/MqufYGbvKKW6Rhi5fORRJ0WGR3i6im84/Seo 9I9a2wtAoUrMnzpljobC3SEn6BsXv99eTcCtWD/69IkDJVP8aqkDU5V/qtzYHcuUEKy8 TCfl40rdtzAQlM3h0qlPT3AooMlzrnKAwyn6CMnNNQJ8f6jLQ0Tk5GeBab9cdp8LdJBe Lpjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682268848; x=1684860848; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fhzGSWuWBPfLdefK4vwFlyXS7bWNqRbohVryC6ddWsg=; b=jL6yjeycCyARDOgbrW/9xgmed+96uHxRXn9Ns40avqr4pl/rWDhZI5m9v6pgoiVv1t VwOyWQH0FP8zKX9+zKxgxLGiMcJXaWbKe8K6AwhppNAXQCilzJ6gCp6I+PkQg0NMVYuR HEw08Q5NQ5IenNP7IAHadFuGwFhYiWd9MAwGWrePZRbfbSaRrvt507sZwDZ77WjeiS0J 6Cr6IrvKbEbk/f8Eklbb6lbxBWTLUVgP8svfIWlib8tlMAL2H4E3pPbkfr4RTb3jXaP4 H4IQYVYjKC+a4tIph8WQ0pXLUtqI7yvLi41TRzVBXvA+D9qFex3G3OcneHHmFUGuRSDP G3Ag== X-Gm-Message-State: AAQBX9dvYJGFcPJg8Cp9O4meziiNgimxhg3qBg5U0bHNq3jpYzsQq64i Aiz6IoRN/F3CTbdXIhqIFqjOQKDxqcw+SNYfaj18vb0g2GI= X-Google-Smtp-Source: AKy350ZCNJE1CgpVSKqB/mn/scLfjFNOX9jF3phjsblr0UZ3EvLRcpFRoPBTaI5Rr+vcG+AY04k3MEHpZ4/qKbfkL7M= X-Received: by 2002:a05:600c:34cf:b0:3f1:7510:62e8 with SMTP id d15-20020a05600c34cf00b003f1751062e8mr5924667wmq.3.1682268847787; Sun, 23 Apr 2023 09:54:07 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Hubert Tournier Date: Sun, 23 Apr 2023 18:53:57 +0200 Message-ID: Subject: Re: 45 vulnerable ports unreported in VuXML To: FreeBSD-security@freebsd.org Content-Type: multipart/alternative; boundary="00000000000016d42605fa03bd94" X-Spamd-Result: default: False [-3.90 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-0.996]; NEURAL_HAM_SHORT(-0.91)[-0.907]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20221208]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; RCPT_COUNT_ONE(0.00)[1]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::32d:from]; ARC_NA(0.00)[]; TAGGED_FROM(0.00)[]; MLMMJ_DEST(0.00)[FreeBSD-security@freebsd.org]; DKIM_TRACE(0.00)[gmail.com:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_DN_NONE(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4Q4Dr41wdXz4VP6 X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N --00000000000016d42605fa03bd94 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello, Here's a little progress report on the osv2vuxml tool development. I'm now up to the point where I can identify vulnerable (current version) FreeBSD ports from all the OSV "ecosystems". But I still have to check which are not yet reported in VuXML and generate an entry skeleton for them, like I did with pysec2vuxml. I think I'll be able to publish something in a couple of weeks... Note that identifying a vulnerable port implies either finding a matching name (not always reliable with port prefixes / flavours / versions in port suffixes) or a matching source web site (better IMO, but there are 2576 ports out of 33565 that don't have that information). I may find more vulnerable ports in the future by delving deeper into the data, especially if I can find matches with software packaged for Linux, Debian, Alpine and Android ecosystems... Also naming of FreeBSD ports for Go gems, Rust crates and others seem to be less consistent than for Python, Ruby and PHP packages. So here's what's reported so far: Ecosystem / Language / vulnerabilities / affected ports / vulns for affected ports ---------------------------------------------------------------------------= ----------------------------- Go / Go / 1360 / 6 /24 Hex / Erlang / 21 / 0 / 0 Maven / Java / 3462 / 8 / 8 NuGet / .Net / 267 / 3 / 3 Packagist / PHP / 1484 / 0 / 0 Pub / Dart / 5 / 0 / 0 PyPI / Python / 3955 / 61 / 166 RubyGems / Ruby / 669 / 45 / 118 crates.io / Rust / 1133 / 14 / 33 npm / JavaScript / 2962 / 57 / 83 ---------------------------------------------------------------------------= ----------------------------- GSD / - / 7 / 0 / 0 GitHub Actions / - / 8 / 0 / 0 OSS-Fuzz / - / 2870 / 21 / 85 UVI / - / 1 / 0 / 0 ---------------------------------------------------------------------------= ----------------------------- 215 affected ports in their current version, counting for 520 vulnerabilities And here' a preliminary detailed list of vulnerable ports with associated vulnerabilities IDs (there might be a few false positive inside!). Hopefully, it includes many already reported vulnerabilities in VuXML (at least many of those listed for Python have already been reported with pysec2vuxml): 2bsd-diff-2.11.1_1: ['GHSA-h6ch-v84p-w6p9'] R-cran-ini-0.3.1: ['GHSA-qqgx-2p2h-9c37'] R-cran-mime-0.12: ['GHSA-wrvr-8mpx-r7pp'] R-cran-rio-0.5.29: ['GHSA-8rc5-mr4f-m243'] R-cran-xopen-1.0.0: ['GHSA-74wf-cwjg-9cf2'] b2-1.3.8_1: ['GHSA-8wr4-2wm6-w3pr', 'PYSEC-2022-32'] bcrypt-1.1: ['GHSA-5wg4-74h6-q47v'] blitz-1.0.2_4: ['GHSA-5888-ffcr-r425'] capstone4-4.0.2: ['OSV-2020-438'] comrak-0.15.0_3: ['GHSA-5r3x-p7xx-x6q5', 'GHSA-8hqf-xjwp-p67v', 'GHSA-xxmq-4vph-956w'] containers-0.9.0_2: ['GHSA-cv7x-6rc6-pq5v', 'RUSTSEC-2021-0010'] coreos-etcd-2.3.8_18: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-wffx', 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', 'GHSA-m332-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2'] coreos-etcd31-3.1.20_17: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-wffx', 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', 'GHSA-m332-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2'] coreos-etcd32-3.2.32_15: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-wffx', 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', 'GHSA-m332-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2'] date-3.0.1: ['GHSA-qg54-694p-wgpp'] deluge-2.0.3_3,2: ['GHSA-5c8p-qhch-qhx6', 'PYSEC-2022-256'] deluge-cli-2.0.3_4: ['GHSA-5c8p-qhch-qhx6', 'PYSEC-2022-256'] dojo-1.12.2: ['GHSA-536q-8gxx-m782', 'GHSA-jxfh-8wgv-vfr2', 'GHSA-m8gw-hjpr-rjv7'] draco-3d-compression-1.5.6: ['OSV-2020-778', 'OSV-2020-800', 'OSV-2020-824', 'OSV-2020-828', 'OSV-2021-1082'] espeak-ng-1.51.1_3: ['OSV-2021-1024', 'OSV-2021-1041', 'OSV-2021-1110', 'OSV-2021-1141', 'OSV-2021-1157', 'OSV-2021-765', 'OSV-2021-787', 'OSV-2021-802', 'OSV-2022-462', 'OSV-2022-519', 'OSV-2022-530'] flatbuffers205-2.0.5: ['GHSA-3jch-9qgp-4844', 'RUSTSEC-2021-0122'] go-protobuf-1.3.2_12,1: ['GHSA-77rm-9x9h-xj3g', 'GHSA-jwvw-v7c5-m82h', 'GHSA-mh6h-f25p-98f8'] got-0.87: ['GHSA-pfrx-2q88-qq97'] gstreamer1-1.22.0_1: ['OSV-2022-1168'] gtar-1.34: ['GHSA-3jfq-g458-7qm9', 'GHSA-5955-9wpr-37jh', 'GHSA-9r2w-394v-53qc', 'GHSA-gfjr-3jmm-4g9v', 'GHSA-j44m-qm6p-hp7m', 'GHSA-qq89-hq3f-393p', 'GHSA-r628-mhmh-qjhw'] guake-3.4.0_3: ['GHSA-7x48-7466-3g33', 'PYSEC-2022-165'] harfbuzz-7.1.0: ['OSV-2023-137', 'OSV-2023-170', 'OSV-2023-222', 'OSV-2023-323'] harp-0.6.0_3: ['GHSA-46hv-7769-j7rx', 'GHSA-6fmm-47qc-p4m4'] jbig2dec-0.19: ['OSV-2020-822'] leptonica-1.82.0: ['OSV-2022-69', 'OSV-2022-91'] libnotify-0.8.2: ['GHSA-6898-wx94-8jq8'] libraw-0.21.1: ['OSV-2022-819', 'OSV-2023-184', 'OSV-2023-90'] libredwg-0.12.4: ['OSV-2021-1086', 'OSV-2021-620', 'OSV-2021-771', 'OSV-2022-129', 'OSV-2022-363'] libsass-3.6.5: ['OSV-2020-1420', 'OSV-2020-862', 'OSV-2021-508', 'OSV-2022-896'] libucl-0.8.2: ['OSV-2021-1261', 'OSV-2022-494', 'OSV-2023-321', 'OSV-2023-78'] log4net-1.2.10_3: ['GHSA-2cwj-8chv-9pp9'] lua51-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v'] lua51-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2'] lua52-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v'] lua52-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2'] lua53-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v'] lua53-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2'] lua54-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v'] lua54-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2'] mingw32-libyaml-0.1.6_2: ['GHSA-m75h-cghq-c8h5'] mitmproxy-7.0.4_2: ['GHSA-gcx2-gvj7-pxv3', 'PYSEC-2022-170'] mongoose-5.6: ['GHSA-8687-vv9j-hgph', 'GHSA-f825-f98c-gj3g'] nlohmann-json-3.11.2: ['GHSA-3c6g-pvg8-gqw2'] ocaml-mysql-1.2.4: ['GHSA-fvq6-55gv-jx9f'] opa-0.41.0_11: ['GHSA-2m4x-4q9j-w97g', 'GHSA-f524-rf33-2jjr'] open-1.4: ['GHSA-28xh-wpgr-7fm8'] opencv-4.6.0_6: ['OSV-2022-394', 'GHSA-f698-m2v9-5fh3', 'GHSA-mc7w-4cjf-c973'] opensc-0.23.0: ['OSV-2022-1175', 'OSV-2022-1188', 'OSV-2022-1201', 'OSV-2022-1232'] p5-mem-0.4.7: ['GHSA-4xcv-9jjx-gfj3'] php80-opencc-0.0.0.20201211: ['GHSA-9qh2-6fxg-9m4g'] php80-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq', 'GHSA-mh5c-679w-hh4r'] php80-pecl-mustache-0.9.3: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58'] php80-pecl-ssh2-1.3.1: ['GHSA-652h-xwhf-q4h6'] php81-opencc-0.0.0.20201211: ['GHSA-9qh2-6fxg-9m4g'] php81-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq', 'GHSA-mh5c-679w-hh4r'] php81-pecl-mustache-0.9.3: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58'] php81-pecl-ssh2-1.3.1: ['GHSA-652h-xwhf-q4h6'] php82-opencc-0.0.0.20201211: ['GHSA-9qh2-6fxg-9m4g'] php82-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq', 'GHSA-mh5c-679w-hh4r'] php82-pecl-mustache-0.9.3: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58'] php82-pecl-ssh2-1.3.1: ['GHSA-652h-xwhf-q4h6'] pidgin-libnotify-0.14_15: ['GHSA-6898-wx94-8jq8'] postgresql13-semver-0.31.2: ['GHSA-x6fg-f45m-jf5q'] protobuf25-2.5.0_5: ['GHSA-77rm-9x9h-xj3g', 'GHSA-jwvw-v7c5-m82h', 'GHSA-8gq9-2x98-w8hf', 'PYSEC-2017-65', 'PYSEC-2022-48', 'GHSA-mh6h-f25p-98f8', 'RUSTSEC-2019-0003'] py27-setuptools44-44.1.1: ['GHSA-r9hx-vwmv-q579'] py310-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579'] py310-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579'] py311-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579'] py311-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579'] py37-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579'] py37-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579'] py38-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579'] py38-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579'] py39-Flask-Cors-3.0.8: ['GHSA-xc3p-ff3m-f46v'] py39-WsgiDAV-3.1.0: ['GHSA-xx6g-jj35-pxjv'] py39-ansible-7.1.0: ['PYSEC-2020-220', 'PYSEC-2020-221', 'PYSEC-2021-125'] py39-arrow-1.2.3: ['GHSA-h588-76vg-prgj', 'GHSA-qgrp-8f3v-q85p', 'GHSA-r7cj-wmwv-hfw5', 'RUSTSEC-2021-0116', 'RUSTSEC-2021-0117', 'RUSTSEC-2021-0118'] py39-bcrypt-3.2.2: ['GHSA-5wg4-74h6-q47v'] py39-beaker-1.12.1: ['PYSEC-2020-216'] py39-branca-0.6.0: ['GHSA-c9rv-3jmq-527w', 'RUSTSEC-2020-0075'] py39-capstone-4.0.2: ['OSV-2020-438'] py39-celery-4.4.7: ['GHSA-q4xr-rc97-m4xx', 'PYSEC-2021-858'] py39-cinder-12.0.10_22: ['GHSA-7h75-hwxx-qpgc', 'GHSA-qhch-g8qr-p497', 'PYSEC-2020-228'] py39-codecov-2.1.12: ['GHSA-5q88-cjfq-g2mh', 'GHSA-mh2h-6j8q-x246', 'GHSA-xp63-6vf5-xf3v'] py39-configobj-5.0.8: ['GHSA-c33w-24p9-8m24'] py39-cryptography-3.4.8_1,1: ['GHSA-w7pp-m8wf-vj6r', 'GHSA-x4qr-2fvf-3mr5'] py39-django-photologue-3.15_1: ['GHSA-287q-jfcp-9vhv'] py39-django-tinymce-3.6.1: ['GHSA-r8hm-w5f7-wj39'] py39-dparse-0.5.1: ['GHSA-8fg9-p83m-x5pq', 'PYSEC-2022-301'] py39-flask-caching-1.9.0: ['GHSA-656c-6cxf-hvcv', 'PYSEC-2021-13'] py39-flask-security-3.0.0_1: ['GHSA-cg8c-gc2j-2wf7'] py39-flatbuffers-2.0: ['GHSA-3jch-9qgp-4844', 'RUSTSEC-2021-0122'] py39-gstreamer1-1.20.5: ['OSV-2022-1089', 'OSV-2022-1168'] py39-httpie-3.0.2: ['GHSA-6pc9-xqrg-wfqw', 'GHSA-9w4w-cpc8-h2fq', 'PYSEC-2022-167', 'PYSEC-2022-34'] py39-httpx013-0.13.3_3: ['GHSA-h8pj-cxx2-jfg2', 'PYSEC-2022-183'] py39-impacket-0.9.17_1: ['GHSA-mj63-64x7-57xf', 'PYSEC-2021-17'] py39-jmespath-1.0.1: ['GHSA-5c5f-7vfq-3732'] py39-joblib-1.1.0: ['GHSA-6hrg-qmvc-2xh8', 'PYSEC-2022-288'] py39-json5-0.9.11: ['GHSA-9c47-m6qq-7p4h'] py39-jsonpointer-2.0: ['GHSA-282f-qqgm-c34q'] py39-kerberos-1.3.1: ['PYSEC-2017-49'] py39-lmdb-0.97: ['PYSEC-2019-236', 'PYSEC-2019-237', 'PYSEC-2019-238', 'PYSEC-2019-239', 'PYSEC-2019-240'] py39-markdown2-2.3.6: ['GHSA-fv3h-8x5j-pvgq', 'GHSA-jr9p-r423-9m2r', 'PYSEC-2020-65', 'PYSEC-2021-20'] py39-mime-0.1.0: ['GHSA-wrvr-8mpx-r7pp'] py39-nbdime-3.1.1_1: ['GHSA-p6rw-44q7-3fw4'] py39-nicotine-plus-3.2.0_1: ['GHSA-p4v2-r99v-wjc2'] py39-parse-1.19.0: ['GHSA-wvh7-5p38-2qfc'] py39-psutil121-1.2.1_2: ['GHSA-qfc5-mcwq-26q8', 'PYSEC-2019-41'] py39-py-1.11.0: ['GHSA-w596-4wvx-j9j6', 'PYSEC-2022-42969'] py39-pycares-4.1.2: ['GHSA-c58j-88f5-h53f'] py39-pygments-25-2.5.2: ['GHSA-9w8r-397f-prfh', 'GHSA-pq64-v7f5-gqh8', 'PYSEC-2021-140', 'PYSEC-2021-141'] py39-pyinstaller-3.5_1: ['GHSA-7fcj-pq9j-wh2r', 'PYSEC-2020-175', 'PYSEC-2020-194'] py39-pymatgen-2022.7.19: ['GHSA-5jqp-885w-xj32'] py39-pysaml24-4.9.0_1: ['GHSA-5p3x-r448-pc62', 'GHSA-f4g9-h89h-jgv9', 'GHSA-qf7v-8hj3-4xw7', 'PYSEC-2020-94', 'PYSEC-2021-48', 'PYSEC-2021-49'] py39-redis2-2.10.6_2: ['GHSA-24wv-mv5m-xv4h', 'GHSA-8fww-64cx-x8p5', 'GHSA-35q2-47q7-3pc3'] py39-redis3-3.5.3: ['GHSA-24wv-mv5m-xv4h', 'GHSA-8fww-64cx-x8p5'] py39-rencode-1.0.6_1: ['GHSA-gh8j-2pgf-x458', 'PYSEC-2021-345'] py39-semver-2.13.0: ['GHSA-x6fg-f45m-jf5q'] py39-sentry-sdk-1.5.12: ['GHSA-29pr-6jr8-q5jm'] py39-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579'] py39-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579'] py39-slixmpp-1.7.1: ['GHSA-q6cq-m9gm-6q2f'] py39-sqlalchemy10-1.0.14: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-vxgf', 'PYSEC-2019-123', 'PYSEC-2019-124', 'PYSEC-2019-53', 'PYSEC-2019-54'] py39-sqlalchemy11-1.1.18: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-vxgf', 'PYSEC-2019-123', 'PYSEC-2019-124', 'PYSEC-2019-53', 'PYSEC-2019-54'] py39-sqlalchemy12-1.2.19: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-vxgf'] py39-suds-1.1.2: ['PYSEC-2013-32'] py39-tensorflow-2.9.1_7: ['GHSA-27rc-728f-x5w2', 'GHSA-368v-7v32-52fx', 'GHSA-49rq-hwc3-x77w', 'GHSA-54pp-c6pp-7fpx', 'GHSA-558h-mq8x-7q9g', 'GHSA-5w96-866f-6rm8', 'GHSA-647v-r7qq-24fh', 'GHSA-64jg-wjww-7c5w', 'GHSA-66vq-54fq-6jvv', 'GHSA-67pf-62xr-q35m', 'GHSA-68v3-g9cm-rmm6', 'GHSA-6hg6-5c2q-7rcr', 'GHSA-6wfh-89q8-44jq', 'GHSA-6x99-gv2v-q76v', 'GHSA-7jvm-xxmr-v5cw', 'GHSA-7x4v-9gxg-9hwj', 'GHSA-8fvv-46hw-vpg3', 'GHSA-8w5g-3wcv-9g2j', 'GHSA-93vr-9q9m-pj8p', 'GHSA-94mm-g2mv-8p7r', 'GHSA-cg88-rpvp-cjv5', 'GHSA-cqvq-fvhr-v6hc', 'GHSA-f2w8-jw48-fr7j', 'GHSA-f49c-87jh-g47q', 'GHSA-f637-vh3r-vfh2', 'GHSA-fqm2-gh8w-gr68', 'GHSA-frqp-wp83-qggv', 'GHSA-fxgc-95xx-grvq', 'GHSA-g9fm-r5mm-rf9f', 'GHSA-gf97-q72m-7579', 'GHSA-gq2j-cr96-gvqx', 'GHSA-gw97-ff7c-9v96', 'GHSA-h246-cgh4-7475', 'GHSA-h6q3-vv32-2cq5', 'GHSA-hq7g-wwwp-q46h', 'GHSA-j5w9-hmfh-4cr6', 'GHSA-jq6x-99hj-q636', 'GHSA-mgmh-g2v6-mqw5', 'GHSA-mv77-9g28-cwg3', 'GHSA-pf36-r9c6-h97j', 'GHSA-qjqc-vqcf-5qvj', 'GHSA-rcf8-g8jv-vg6p', 'GHSA-rjx6-v474-2ch9', 'GHSA-rmg2-f698-wq35', 'GHSA-xf83-q765-xm6m', 'GHSA-xvwp-h6jv-7472', 'GHSA-xxcj-rhqg-m46g'] py39-treq-20.9.0: ['GHSA-fhpf-pp6p-55qc'] py39-unicorn-1.0.2: ['OSV-2020-1373', 'OSV-2020-1409', 'OSV-2020-1410', 'OSV-2020-2180', 'OSV-2020-2305', 'OSV-2020-802', 'OSV-2020-825', 'OSV-2020-837', 'OSV-2021-1046', 'OSV-2021-1230', 'OSV-2021-307', 'OSV-2021-345', 'PYSEC-2021-868'] py39-wagtail-4.2_2: ['GHSA-33pv-vcgh-jfg9', 'GHSA-5286-f2rf-35c2'] py39-whois-0.9.13: ['GHSA-97jv-c342-5xhc'] radare2-5.8.4: ['OSV-2022-1137', 'OSV-2022-993', 'OSV-2023-35', 'OSV-2023-96'] rubygem-actionpack4-4.2.11.3: ['GHSA-7wjx-3g7j-8584', 'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-hjg4-8q5f-x6fm', 'GHSA-p84v-45xj-wwqj'] rubygem-actionpack5-5.1.7_1: ['GHSA-7wjx-3g7j-8584', 'GHSA-8727-m6gj-mc37', 'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-hjg4-8q5f-x6fm', 'GHSA-jp5v-5gx4-jmj9', 'GHSA-p84v-45xj-wwqj', 'GHSA-wh98-p28r-vrc9'] rubygem-actionpack50-5.0.7.2_2: ['GHSA-7wjx-3g7j-8584', 'GHSA-8727-m6gj-mc37', 'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-hjg4-8q5f-x6fm', 'GHSA-jp5v-5gx4-jmj9', 'GHSA-p84v-45xj-wwqj', 'GHSA-wh98-p28r-vrc9'] rubygem-actionpack52-5.2.8.1_1: ['GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-p84v-45xj-wwqj'] rubygem-actionpack60-6.0.6.1: ['GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-p84v-45xj-wwqj'] rubygem-actionpack61-6.1.7.3: ['GHSA-9chr-4fjh-5rgw'] rubygem-actionview4-4.2.11.3: ['GHSA-65cv-r6x7-79hv', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv'] rubygem-actionview5-5.1.7: ['GHSA-65cv-r6x7-79hv', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GHSA-xq5j-gw7f-jgj8'] rubygem-actionview50-5.0.7.2: ['GHSA-65cv-r6x7-79hv', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GHSA-xq5j-gw7f-jgj8'] rubygem-activerecord4-4.2.11.3: ['GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749'] rubygem-activerecord5-5.1.7: ['GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749', 'GHSA-8hc4-xxm3-5ppp'] rubygem-activerecord50-5.0.7.2: ['GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749', 'GHSA-8hc4-xxm3-5ppp'] rubygem-activerecord52-5.2.8.1: ['GHSA-579w-22j4-4749'] rubygem-activerecord60-6.0.6.1: ['GHSA-579w-22j4-4749'] rubygem-activeresource4-4.1.0: ['GHSA-46j2-xjgp-jrfm'] rubygem-activesupport4-4.2.11.3: ['GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j'] rubygem-activesupport5-5.1.7_1: ['GHSA-2p68-f74v-9wc6', 'GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j'] rubygem-activesupport50-5.0.7.2_1: ['GHSA-2p68-f74v-9wc6', 'GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j'] rubygem-activesupport52-5.2.8.1: ['GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j'] rubygem-activesupport60-6.0.6.1: ['GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j'] rubygem-async-2.5.0: ['GHSA-fwr7-v2mv-hh25'] rubygem-aws-sdk2-2.11.632: ['GHSA-rrc9-gqf8-8rwg'] rubygem-base64-0.1.1: ['GHSA-x67x-vg9m-65c3', 'RUSTSEC-2017-0004'] rubygem-bcrypt-3.1.18: ['GHSA-5wg4-74h6-q47v'] rubygem-bootstrap-sass-3.4.1: ['GHSA-9v3m-8fp8-mj99'] rubygem-cairo-1.17.8: ['OSV-2023-298'] rubygem-cookiejar-0.3.3: ['GHSA-h452-7996-h45h'] rubygem-cose-1.2.0: ['GHSA-746g-3gfp-hfhw'] rubygem-debug-1.7.2: ['GHSA-9vvw-cc9w-f27h', 'GHSA-gxpj-cx7g-858c'] rubygem-foreman-0.87.2: ['GHSA-xm28-fw2x-fqv2'] rubygem-generator-0.0.1: ['GHSA-6c65-xcf5-299x', 'GHSA-h6gg-fvf5-qgwf', 'GHSA-w3g5-2848-2v8r', 'RUSTSEC-2019-0020', 'RUSTSEC-2020-0151'] rubygem-globalid-0.4.2: ['GHSA-23c2-gwp5-pxw9'] rubygem-gon-rails5-6.2.1: ['GHSA-78vq-9j56-wrfr'] rubygem-gon-rails50-6.2.1: ['GHSA-78vq-9j56-wrfr'] rubygem-httparty-0.20.0: ['GHSA-5pq7-52mg-hr42'] rubygem-ini-0.1.1: ['GHSA-qqgx-2p2h-9c37'] rubygem-json-2.6.3: ['GHSA-3c6g-pvg8-gqw2'] rubygem-json1-1.8.6: ['GHSA-3c6g-pvg8-gqw2', 'GHSA-jphg-qwrw-7w9g'] rubygem-kramdown1-1.17.0: ['GHSA-52p9-v744-mwjj', 'GHSA-mqm2-cgpr-p4m6'] rubygem-mqtt-0.6.0: ['GHSA-hg78-c92r-hvwr'] rubygem-mustache-1.1.1: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58'] rubygem-mustache0-0.99.8: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58'] rubygem-mysql-2.9.1_1: ['GHSA-5f7m-mmpc-qhh4'] rubygem-netaddr-2.0.1: ['GHSA-49pj-69vf-c689'] rubygem-nokogiri111-1.11.7_2: ['GHSA-2qc6-mcvw-92cw', 'GHSA-2rr5-8q37-2w7h', 'GHSA-cgx6-hpwq-fhv5', 'GHSA-crjr-9rc5-ghw8', 'GHSA-fq42-c5rg-92c2', 'GHSA-gx8x-g87m-h5q6', 'GHSA-pxvg-2qj5-37jq', 'GHSA-v6gp-9mmm-c6p5', 'GHSA-xh29-r2w5-wx8m', 'GHSA-xxx9-3xcr-gjj3'] rubygem-omniauth1-1.9.2_1: ['GHSA-ww4x-rwq6-qpgf'] rubygem-oxidized-web-0.13.1_4: ['GHSA-8qwh-rm6c-jv96'] rubygem-pdfkit-0.8.7: ['GHSA-rhwx-hjx2-x4qr'] rubygem-pg-1.4.6: ['GHSA-wc9v-mj63-m9g5'] rubygem-pg13-1.3.5: ['GHSA-wc9v-mj63-m9g5'] rubygem-pghero-rails5-2.8.3: ['GHSA-vf99-xw26-86g5'] rubygem-pghero-rails50-2.8.3: ['GHSA-vf99-xw26-86g5'] rubygem-rack16-1.6.13: ['GHSA-3h57-hmj3-gj3p', 'GHSA-5f9h-9pjv-v6j7', 'GHSA-65f5-mfpf-vfhj', 'GHSA-hxqx-xwvh-44m2', 'GHSA-j6w9-fv6q-3q52', 'GHSA-wq4h-7r42-5hrr'] rubygem-rails4-4.2.11.3: ['GHSA-579w-22j4-4749', 'GHSA-7wjx-3g7j-8584', 'GHSA-9chr-4fjh-5rgw', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv'] rubygem-rails5-5.1.7_2: ['GHSA-579w-22j4-4749', 'GHSA-7wjx-3g7j-8584', 'GHSA-9chr-4fjh-5rgw', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GHSA-wh98-p28r-vrc9'] rubygem-rails50-5.0.7.2_2: ['GHSA-579w-22j4-4749', 'GHSA-7wjx-3g7j-8584', 'GHSA-9chr-4fjh-5rgw', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GHSA-wh98-p28r-vrc9'] rubygem-rails52-5.2.8.1: ['GHSA-579w-22j4-4749', 'GHSA-9chr-4fjh-5rgw'] rubygem-sanitize-6.0.0: ['GHSA-fw3g-2h3j-qmm7'] rubygem-simple_form-4.0.0: ['GHSA-r74q-gxcg-73hx'] rubygem-sinatra1-1.4.8: ['GHSA-qp49-3pvw-x4m5'] rubygem-terser-1.0.2: ['GHSA-4wf5-vphf-c2xc'] rubygem-terser11-1.1.14: ['GHSA-4wf5-vphf-c2xc'] rubygem-time-0.2.2: ['GHSA-wcg3-cvx6-7396'] rubygem-tweetstream-2.6.1_1: ['GHSA-6hrm-jqp3-64cv'] rubygem-twitter-stream-0.1.16_2: ['GHSA-p6p8-q4pj-f74m'] rubygem-unicode-0.4.4.4: ['GHSA-qjf4-7642-c57p'] rubygem-useragent-0.16.10: ['GHSA-pjmx-9xr3-82qr'] send-0.3_4: ['GHSA-jgqf-hwc5-hh37', 'GHSA-pgv6-jrvv-75jp', 'GHSA-xwg4-93c6-3h42'] showdown-0.6_3: ['GHSA-h6mq-3cj6-h738'] svg2png-0.1.3_6: ['GHSA-mpp5-2x55-49xw'] tidy-html5-5.8.0_2: ['OSV-2020-1427', 'OSV-2020-1440'] ua_parser-core-0.5.0_1: ['GHSA-fx7m-j728-mjw3'] unicorn-1.0.2: ['OSV-2020-1373', 'OSV-2020-1409', 'OSV-2020-1410', 'OSV-2020-2180', 'OSV-2020-2305', 'OSV-2020-802', 'OSV-2020-825', 'OSV-2020-837', 'OSV-2021-1046', 'OSV-2021-1230', 'OSV-2021-307', 'OSV-2021-345', 'PYSEC-2021-868'] vmd-1.9.4: ['GHSA-pfr3-87q3-65rc'] wabt-1.0.32: ['OSV-2021-1241', 'OSV-2022-1248', 'OSV-2022-1261', 'OSV-2022-1263', 'OSV-2022-916'] wasm3-0.5.0_2: ['GHSA-77fq-4xf5-hph4', 'GHSA-crf8-h2wq-2h9x'] webbrowser-0.3: ['GHSA-m589-mv4q-p7rj'] zh-opencc-1.0.5_3: ['GHSA-9qh2-6fxg-9m4g'] Best regards, Le mar. 4 avr. 2023 =C3=A0 12:31, Hubert Tournier a =C3=A9crit : > I=E2=80=99m OK to do the OSV tool. > > Best regards, > > Le mar. 4 avr. 2023 =C3=A0 11:58, void a =C3=A9crit : > >> On Sun, Mar 26, 2023 at 12:16:53PM +0200, Hubert Tournier wrote: >> >Hello, >> > >> >While working on pipinfo , an >> >alternative Python packages management tool, I noticed that some Python >> >packages installed as FreeBSD ports where marked as vulnerable by the >> Python >> >Packaging Authority >> >> > >> >but not in FreeBSD VuXML >> ports >> >security database. >> > >> >So I made a pysec2vuxml tool to >> >check the 4.000+ FreeBSD ports for Python packages and found 45 of them >> >vulnerable and unreported >> >. >> > >> >I started producing new VuXML entries >> > >> for >> >these vulnerable ports. *Please tell me if it's worth pursuing this >> effort?* >> > >> >In order to verify if these vulnerable ports where also marked as >> >vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and >> got >> >carried away writing a whole utility, vuxml >> >, to demonstrate its use. This could >> be of >> >general interest to some of you? >> > >> >Best regards, >> > >> >PS: this approach could be extended to Rust crates, Ruby gems and so on >> >with the vulnerabilities described in the OSV ... >> >> +1 ^^^ really good idea >> >> Probably best to ask in freebsd-hackers@ as devs are likely to >> read this there >> -- >> > --00000000000016d42605fa03bd94 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello,

Here's a littl= e progress report on the osv2vuxml tool development.
I'm now u= p to the point where I can identify vulnerable (current version) FreeBSD po= rts from all the OSV "ecosystems".
But I still have to c= heck which are not yet reported in VuXML and generate an entry skeleton for= them, like I did with pysec2vuxml.
I think I'll be able to publish something in a couple of weeks...<= br>
Note that identifying a vulnerable port implies either fi= nding a matching name (not always reliable with port prefixes / flavours / = versions in port suffixes) or a matching source web site (better IMO, but t= here are 2576 ports out of 33565 that don't have that information).
=
I may find more vulnerable ports in the future by delving deeper= into the data, especially if I can find matches with software packaged for= Linux, Debian, Alpine and Android ecosystems...
Also naming = of FreeBSD ports for Go gems, Rust crates and others seem to be less consis= tent than for Python, Ruby and PHP packages.

<= /div>
So here's what's reported so far:

Ecosyste= m / Language / vulnerabilities / affected ports / vulns for affected ports= =C2=A0
----------------------------------------------------------------= ----------------------------------------
Go / Go / 1360 / 6 /24
He= x / Erlang / 21 / 0 / 0
Maven / Java / 3462 / 8 / 8
NuGet / .N= et / 267 / 3 / 3
Packagist / PHP / 1484 / 0 / 0
Pub / Dart / 5 /= 0 / 0
PyPI / Python / 3955 / 61 / 166
RubyGems / Ruby / 669 / 45 = / 118
crates.io / Rust / 1133 / 14 / 3= 3
npm / JavaScript / 2962 / 57 / 83
----------------------------------------------------------------------= ----------------------------------
GSD / - / 7 / 0 / 0
GitHub Actions / - / 8 / 0 / 0
OSS-Fuzz / - / 2870 / 21 / 85
UVI / - / 1 / 0 / 0
-----------------------------------------= ---------------------------------------------------------------
2= 15 affected ports in their current version, counting for 520 vulnerabilitie= s

And here' a preliminary detailed list of vulnerable= ports with associated vulnerabilities IDs (there might be a few false posi= tive inside!).
Hopefully, it includes many already reported vulnerabilit= ies in VuXML (at least many of those listed for Python have already been re= ported with pysec2vuxml):

2bsd-diff-2.11.1_1: ['GHSA-h6ch-v84p-w6p9']
R-cran-ini-0.3.1= : ['GHSA-qqgx-2p2h-9c37']
R-cran-mime-0.12: ['GHSA-wrvr-8mpx= -r7pp']
R-cran-rio-0.5.29: ['GHSA-8rc5-mr4f-m243']
R-cran= -xopen-1.0.0: ['GHSA-74wf-cwjg-9cf2']
b2-1.3.8_1: ['GHSA-8wr= 4-2wm6-w3pr', 'PYSEC-2022-32']
bcrypt-1.1: ['GHSA-5wg4-7= 4h6-q47v']
blitz-1.0.2_4: ['GHSA-5888-ffcr-r425']
capston= e4-4.0.2: ['OSV-2020-438']
comrak-0.15.0_3: ['GHSA-5r3x-p7xx= -x6q5', 'GHSA-8hqf-xjwp-p67v', 'GHSA-xxmq-4vph-956w']containers-0.9.0_2: ['GHSA-cv7x-6rc6-pq5v', 'RUSTSEC-2021-001= 0']
coreos-etcd-2.3.8_18: ['GHSA-4993-m7g5-r9hh', 'GHSA-= 528j-9r78-wffx', 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mr= c', 'GHSA-m332-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2']
co= reos-etcd31-3.1.20_17: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-= wffx', 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', &#= 39;GHSA-m332-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2']
coreos-etcd3= 2-3.2.32_15: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-wffx',= 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', 'GHSA-m3= 32-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2']
date-3.0.1: ['GHSA= -qg54-694p-wgpp']
deluge-2.0.3_3,2: ['GHSA-5c8p-qhch-qhx6', = 'PYSEC-2022-256']
deluge-cli-2.0.3_4: ['GHSA-5c8p-qhch-qhx6&= #39;, 'PYSEC-2022-256']
dojo-1.12.2: ['GHSA-536q-8gxx-m782&#= 39;, 'GHSA-jxfh-8wgv-vfr2', 'GHSA-m8gw-hjpr-rjv7']
draco= -3d-compression-1.5.6: ['OSV-2020-778', 'OSV-2020-800', = 9;OSV-2020-824', 'OSV-2020-828', 'OSV-2021-1082']
es= peak-ng-1.51.1_3: ['OSV-2021-1024', 'OSV-2021-1041', 'O= SV-2021-1110', 'OSV-2021-1141', 'OSV-2021-1157', 'O= SV-2021-765', 'OSV-2021-787', 'OSV-2021-802', 'OSV-= 2022-462', 'OSV-2022-519', 'OSV-2022-530']
flatbuffe= rs205-2.0.5: ['GHSA-3jch-9qgp-4844', 'RUSTSEC-2021-0122']go-protobuf-1.3.2_12,1: ['GHSA-77rm-9x9h-xj3g', 'GHSA-jwvw-v7= c5-m82h', 'GHSA-mh6h-f25p-98f8']
got-0.87: ['GHSA-pfrx-2= q88-qq97']
gstreamer1-1.22.0_1: ['OSV-2022-1168']
gtar-1.= 34: ['GHSA-3jfq-g458-7qm9', 'GHSA-5955-9wpr-37jh', 'GHS= A-9r2w-394v-53qc', 'GHSA-gfjr-3jmm-4g9v', 'GHSA-j44m-qm6p-h= p7m', 'GHSA-qq89-hq3f-393p', 'GHSA-r628-mhmh-qjhw']
= guake-3.4.0_3: ['GHSA-7x48-7466-3g33', 'PYSEC-2022-165']harfbuzz-7.1.0: ['OSV-2023-137', 'OSV-2023-170', 'OSV-= 2023-222', 'OSV-2023-323']
harp-0.6.0_3: ['GHSA-46hv-776= 9-j7rx', 'GHSA-6fmm-47qc-p4m4']
jbig2dec-0.19: ['OSV-202= 0-822']
leptonica-1.82.0: ['OSV-2022-69', 'OSV-2022-91&#= 39;]
libnotify-0.8.2: ['GHSA-6898-wx94-8jq8']
libraw-0.21.1: = ['OSV-2022-819', 'OSV-2023-184', 'OSV-2023-90']
= libredwg-0.12.4: ['OSV-2021-1086', 'OSV-2021-620', 'OSV= -2021-771', 'OSV-2022-129', 'OSV-2022-363']
libsass-= 3.6.5: ['OSV-2020-1420', 'OSV-2020-862', 'OSV-2021-508&= #39;, 'OSV-2022-896']
libucl-0.8.2: ['OSV-2021-1261', &#= 39;OSV-2022-494', 'OSV-2023-321', 'OSV-2023-78']
log= 4net-1.2.10_3: ['GHSA-2cwj-8chv-9pp9']
lua51-bcrypt-2.3.1: ['= ;GHSA-5wg4-74h6-q47v']
lua51-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2= ']
lua52-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v']
lua52-json= -1.3.4_1: ['GHSA-3c6g-pvg8-gqw2']
lua53-bcrypt-2.3.1: ['GHSA= -5wg4-74h6-q47v']
lua53-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2'= ]
lua54-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v']
lua54-json-1.3.= 4_1: ['GHSA-3c6g-pvg8-gqw2']
mingw32-libyaml-0.1.6_2: ['GHSA= -m75h-cghq-c8h5']
mitmproxy-7.0.4_2: ['GHSA-gcx2-gvj7-pxv3',= 'PYSEC-2022-170']
mongoose-5.6: ['GHSA-8687-vv9j-hgph',= 'GHSA-f825-f98c-gj3g']
nlohmann-json-3.11.2: ['GHSA-3c6g-pv= g8-gqw2']
ocaml-mysql-1.2.4: ['GHSA-fvq6-55gv-jx9f']
opa-= 0.41.0_11: ['GHSA-2m4x-4q9j-w97g', 'GHSA-f524-rf33-2jjr']open-1.4: ['GHSA-28xh-wpgr-7fm8']
opencv-4.6.0_6: ['OSV-20= 22-394', 'GHSA-f698-m2v9-5fh3', 'GHSA-mc7w-4cjf-c973']<= br>opensc-0.23.0: ['OSV-2022-1175', 'OSV-2022-1188', 'O= SV-2022-1201', 'OSV-2022-1232']
p5-mem-0.4.7: ['GHSA-4xc= v-9jjx-gfj3']
php80-opencc-0.0.0.20201211: ['GHSA-9qh2-6fxg-9m4g= ']
php80-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq', 'G= HSA-mh5c-679w-hh4r']
php80-pecl-mustache-0.9.3: ['GHSA-3233-rgx3= -c2wh', 'GHSA-w3w8-37jv-2c58']
php80-pecl-ssh2-1.3.1: ['= GHSA-652h-xwhf-q4h6']
php81-opencc-0.0.0.20201211: ['GHSA-9qh2-6= fxg-9m4g']
php81-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq'= , 'GHSA-mh5c-679w-hh4r']
php81-pecl-mustache-0.9.3: ['GHSA-3= 233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58']
php81-pecl-ssh2-1.3.1= : ['GHSA-652h-xwhf-q4h6']
php82-opencc-0.0.0.20201211: ['GHS= A-9qh2-6fxg-9m4g']
php82-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5= crq', 'GHSA-mh5c-679w-hh4r']
php82-pecl-mustache-0.9.3: [= 9;GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58']
php82-pecl-ss= h2-1.3.1: ['GHSA-652h-xwhf-q4h6']
pidgin-libnotify-0.14_15: [= 9;GHSA-6898-wx94-8jq8']
postgresql13-semver-0.31.2: ['GHSA-x6fg-= f45m-jf5q']
protobuf25-2.5.0_5: ['GHSA-77rm-9x9h-xj3g', '= ;GHSA-jwvw-v7c5-m82h', 'GHSA-8gq9-2x98-w8hf', 'PYSEC-2017-6= 5', 'PYSEC-2022-48', 'GHSA-mh6h-f25p-98f8', 'RUSTSE= C-2019-0003']
py27-setuptools44-44.1.1: ['GHSA-r9hx-vwmv-q579= 9;]
py310-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579']
py310-se= tuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579']
py311-setuptools-63= .1.0: ['GHSA-r9hx-vwmv-q579']
py311-setuptools58-58.5.3_2: ['= ;GHSA-r9hx-vwmv-q579']
py37-setuptools-63.1.0: ['GHSA-r9hx-vwmv-= q579']
py37-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579']py38-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579']
py38-setuptool= s58-58.5.3_2: ['GHSA-r9hx-vwmv-q579']
py39-Flask-Cors-3.0.8: [&#= 39;GHSA-xc3p-ff3m-f46v']
py39-WsgiDAV-3.1.0: ['GHSA-xx6g-jj35-px= jv']
py39-ansible-7.1.0: ['PYSEC-2020-220', 'PYSEC-2020-= 221', 'PYSEC-2021-125']
py39-arrow-1.2.3: ['GHSA-h588-76= vg-prgj', 'GHSA-qgrp-8f3v-q85p', 'GHSA-r7cj-wmwv-hfw5',= 'RUSTSEC-2021-0116', 'RUSTSEC-2021-0117', 'RUSTSEC-202= 1-0118']
py39-bcrypt-3.2.2: ['GHSA-5wg4-74h6-q47v']
py39-= beaker-1.12.1: ['PYSEC-2020-216']
py39-branca-0.6.0: ['GHSA-= c9rv-3jmq-527w', 'RUSTSEC-2020-0075']
py39-capstone-4.0.2: [= 'OSV-2020-438']
py39-celery-4.4.7: ['GHSA-q4xr-rc97-m4xx'= ;, 'PYSEC-2021-858']
py39-cinder-12.0.10_22: ['GHSA-7h75-hwx= x-qpgc', 'GHSA-qhch-g8qr-p497', 'PYSEC-2020-228']
py= 39-codecov-2.1.12: ['GHSA-5q88-cjfq-g2mh', 'GHSA-mh2h-6j8q-x246= ', 'GHSA-xp63-6vf5-xf3v']
py39-configobj-5.0.8: ['GHSA-c= 33w-24p9-8m24']
py39-cryptography-3.4.8_1,1: ['GHSA-w7pp-m8wf-vj= 6r', 'GHSA-x4qr-2fvf-3mr5']
py39-django-photologue-3.15_1: [= 'GHSA-287q-jfcp-9vhv']
py39-django-tinymce-3.6.1: ['GHSA-r8h= m-w5f7-wj39']
py39-dparse-0.5.1: ['GHSA-8fg9-p83m-x5pq', = 9;PYSEC-2022-301']
py39-flask-caching-1.9.0: ['GHSA-656c-6cxf-hv= cv', 'PYSEC-2021-13']
py39-flask-security-3.0.0_1: ['GHS= A-cg8c-gc2j-2wf7']
py39-flatbuffers-2.0: ['GHSA-3jch-9qgp-4844&#= 39;, 'RUSTSEC-2021-0122']
py39-gstreamer1-1.20.5: ['OSV-2022= -1089', 'OSV-2022-1168']
py39-httpie-3.0.2: ['GHSA-6pc9-= xqrg-wfqw', 'GHSA-9w4w-cpc8-h2fq', 'PYSEC-2022-167', &#= 39;PYSEC-2022-34']
py39-httpx013-0.13.3_3: ['GHSA-h8pj-cxx2-jfg2= ', 'PYSEC-2022-183']
py39-impacket-0.9.17_1: ['GHSA-mj63= -64x7-57xf', 'PYSEC-2021-17']
py39-jmespath-1.0.1: ['GHS= A-5c5f-7vfq-3732']
py39-joblib-1.1.0: ['GHSA-6hrg-qmvc-2xh8'= , 'PYSEC-2022-288']
py39-json5-0.9.11: ['GHSA-9c47-m6qq-7p4h= ']
py39-jsonpointer-2.0: ['GHSA-282f-qqgm-c34q']
py39-ker= beros-1.3.1: ['PYSEC-2017-49']
py39-lmdb-0.97: ['PYSEC-2019-= 236', 'PYSEC-2019-237', 'PYSEC-2019-238', 'PYSEC-20= 19-239', 'PYSEC-2019-240']
py39-markdown2-2.3.6: ['GHSA-= fv3h-8x5j-pvgq', 'GHSA-jr9p-r423-9m2r', 'PYSEC-2020-65'= , 'PYSEC-2021-20']
py39-mime-0.1.0: ['GHSA-wrvr-8mpx-r7pp= 9;]
py39-nbdime-3.1.1_1: ['GHSA-p6rw-44q7-3fw4']
py39-nicotin= e-plus-3.2.0_1: ['GHSA-p4v2-r99v-wjc2']
py39-parse-1.19.0: ['= ;GHSA-wvh7-5p38-2qfc']
py39-psutil121-1.2.1_2: ['GHSA-qfc5-mcwq-= 26q8', 'PYSEC-2019-41']
py39-py-1.11.0: ['GHSA-w596-4wvx= -j9j6', 'PYSEC-2022-42969']
py39-pycares-4.1.2: ['GHSA-c= 58j-88f5-h53f']
py39-pygments-25-2.5.2: ['GHSA-9w8r-397f-prfh= 9;, 'GHSA-pq64-v7f5-gqh8', 'PYSEC-2021-140', 'PYSEC-202= 1-141']
py39-pyinstaller-3.5_1: ['GHSA-7fcj-pq9j-wh2r', '= ;PYSEC-2020-175', 'PYSEC-2020-194']
py39-pymatgen-2022.7.19:= ['GHSA-5jqp-885w-xj32']
py39-pysaml24-4.9.0_1: ['GHSA-5p3x-= r448-pc62', 'GHSA-f4g9-h89h-jgv9', 'GHSA-qf7v-8hj3-4xw7'= ;, 'PYSEC-2020-94', 'PYSEC-2021-48', 'PYSEC-2021-49'= ;]
py39-redis2-2.10.6_2: ['GHSA-24wv-mv5m-xv4h', 'GHSA-8fww-= 64cx-x8p5', 'GHSA-35q2-47q7-3pc3']
py39-redis3-3.5.3: ['= GHSA-24wv-mv5m-xv4h', 'GHSA-8fww-64cx-x8p5']
py39-rencode-1.= 0.6_1: ['GHSA-gh8j-2pgf-x458', 'PYSEC-2021-345']
py39-se= mver-2.13.0: ['GHSA-x6fg-f45m-jf5q']
py39-sentry-sdk-1.5.12: [&#= 39;GHSA-29pr-6jr8-q5jm']
py39-setuptools-63.1.0: ['GHSA-r9hx-vwm= v-q579']
py39-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579']=
py39-slixmpp-1.7.1: ['GHSA-q6cq-m9gm-6q2f']
py39-sqlalchemy1= 0-1.0.14: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-vxgf', &#= 39;PYSEC-2019-123', 'PYSEC-2019-124', 'PYSEC-2019-53', = 'PYSEC-2019-54']
py39-sqlalchemy11-1.1.18: ['GHSA-38fc-9xqv-= 7f7q', 'GHSA-887w-45rq-vxgf', 'PYSEC-2019-123', 'PY= SEC-2019-124', 'PYSEC-2019-53', 'PYSEC-2019-54']
py3= 9-sqlalchemy12-1.2.19: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-= vxgf']
py39-suds-1.1.2: ['PYSEC-2013-32']
py39-tensorflow= -2.9.1_7: ['GHSA-27rc-728f-x5w2', 'GHSA-368v-7v32-52fx', &#= 39;GHSA-49rq-hwc3-x77w', 'GHSA-54pp-c6pp-7fpx', 'GHSA-558h-= mq8x-7q9g', 'GHSA-5w96-866f-6rm8', 'GHSA-647v-r7qq-24fh'= ;, 'GHSA-64jg-wjww-7c5w', 'GHSA-66vq-54fq-6jvv', 'GHSA-= 67pf-62xr-q35m', 'GHSA-68v3-g9cm-rmm6', 'GHSA-6hg6-5c2q-7rc= r', 'GHSA-6wfh-89q8-44jq', 'GHSA-6x99-gv2v-q76v', '= GHSA-7jvm-xxmr-v5cw', 'GHSA-7x4v-9gxg-9hwj', 'GHSA-8fvv-46h= w-vpg3', 'GHSA-8w5g-3wcv-9g2j', 'GHSA-93vr-9q9m-pj8p', = 'GHSA-94mm-g2mv-8p7r', 'GHSA-cg88-rpvp-cjv5', 'GHSA-cqv= q-fvhr-v6hc', 'GHSA-f2w8-jw48-fr7j', 'GHSA-f49c-87jh-g47q&#= 39;, 'GHSA-f637-vh3r-vfh2', 'GHSA-fqm2-gh8w-gr68', 'GHS= A-frqp-wp83-qggv', 'GHSA-fxgc-95xx-grvq', 'GHSA-g9fm-r5mm-r= f9f', 'GHSA-gf97-q72m-7579', 'GHSA-gq2j-cr96-gvqx', = 9;GHSA-gw97-ff7c-9v96', 'GHSA-h246-cgh4-7475', 'GHSA-h6q3-v= v32-2cq5', 'GHSA-hq7g-wwwp-q46h', 'GHSA-j5w9-hmfh-4cr6'= , 'GHSA-jq6x-99hj-q636', 'GHSA-mgmh-g2v6-mqw5', 'GHSA-m= v77-9g28-cwg3', 'GHSA-pf36-r9c6-h97j', 'GHSA-qjqc-vqcf-5qvj= ', 'GHSA-rcf8-g8jv-vg6p', 'GHSA-rjx6-v474-2ch9', 'G= HSA-rmg2-f698-wq35', 'GHSA-xf83-q765-xm6m', 'GHSA-xvwp-h6jv= -7472', 'GHSA-xxcj-rhqg-m46g']
py39-treq-20.9.0: ['GHSA-= fhpf-pp6p-55qc']
py39-unicorn-1.0.2: ['OSV-2020-1373', '= OSV-2020-1409', 'OSV-2020-1410', 'OSV-2020-2180', '= OSV-2020-2305', 'OSV-2020-802', 'OSV-2020-825', 'OS= V-2020-837', 'OSV-2021-1046', 'OSV-2021-1230', 'OSV= -2021-307', 'OSV-2021-345', 'PYSEC-2021-868']
py39-w= agtail-4.2_2: ['GHSA-33pv-vcgh-jfg9', 'GHSA-5286-f2rf-35c2'= ]
py39-whois-0.9.13: ['GHSA-97jv-c342-5xhc']
radare2-5.8.4: [= 'OSV-2022-1137', 'OSV-2022-993', 'OSV-2023-35', = 9;OSV-2023-96']
rubygem-actionpack4-4.2.11.3: ['GHSA-7wjx-3g7j-8= 584', 'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', = 9;GHSA-hjg4-8q5f-x6fm', 'GHSA-p84v-45xj-wwqj']
rubygem-actio= npack5-5.1.7_1: ['GHSA-7wjx-3g7j-8584', 'GHSA-8727-m6gj-mc37= 9;, 'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA= -hjg4-8q5f-x6fm', 'GHSA-jp5v-5gx4-jmj9', 'GHSA-p84v-45xj-ww= qj', 'GHSA-wh98-p28r-vrc9']
rubygem-actionpack50-5.0.7.2_2: = ['GHSA-7wjx-3g7j-8584', 'GHSA-8727-m6gj-mc37', 'GHSA-8x= ww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-hjg4-8q5f-x6fm&= #39;, 'GHSA-jp5v-5gx4-jmj9', 'GHSA-p84v-45xj-wwqj', 'GH= SA-wh98-p28r-vrc9']
rubygem-actionpack52-5.2.8.1_1: ['GHSA-8xww-= x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-p84v-45xj-wwqj'= ;]
rubygem-actionpack60-6.0.6.1: ['GHSA-8xww-x3g3-6jcv', 'GH= SA-9chr-4fjh-5rgw', 'GHSA-p84v-45xj-wwqj']
rubygem-actionpac= k61-6.1.7.3: ['GHSA-9chr-4fjh-5rgw']
rubygem-actionview4-4.2.11.= 3: ['GHSA-65cv-r6x7-79hv', 'GHSA-cfjv-5498-mph5', 'GHSA= -ch3h-j2vf-95pv']
rubygem-actionview5-5.1.7: ['GHSA-65cv-r6x7-79= hv', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', '= ;GHSA-xq5j-gw7f-jgj8']
rubygem-actionview50-5.0.7.2: ['GHSA-65cv= -r6x7-79hv', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv= 9;, 'GHSA-xq5j-gw7f-jgj8']
rubygem-activerecord4-4.2.11.3: ['= ;GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749']
rubygem-active= record5-5.1.7: ['GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749'= ;, 'GHSA-8hc4-xxm3-5ppp']
rubygem-activerecord50-5.0.7.2: ['= GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749', 'GHSA-8hc4-xxm= 3-5ppp']
rubygem-activerecord52-5.2.8.1: ['GHSA-579w-22j4-4749&#= 39;]
rubygem-activerecord60-6.0.6.1: ['GHSA-579w-22j4-4749']
= rubygem-activeresource4-4.1.0: ['GHSA-46j2-xjgp-jrfm']
rubygem-a= ctivesupport4-4.2.11.3: ['GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw= -pm9j']
rubygem-activesupport5-5.1.7_1: ['GHSA-2p68-f74v-9wc6= 9;, 'GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j']
rubyge= m-activesupport50-5.0.7.2_1: ['GHSA-2p68-f74v-9wc6', 'GHSA-j6gc= -792m-qgm2', 'GHSA-pj73-v5mw-pm9j']
rubygem-activesupport52-= 5.2.8.1: ['GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j']
= rubygem-activesupport60-6.0.6.1: ['GHSA-j6gc-792m-qgm2', 'GHSA-= pj73-v5mw-pm9j']
rubygem-async-2.5.0: ['GHSA-fwr7-v2mv-hh25'= ]
rubygem-aws-sdk2-2.11.632: ['GHSA-rrc9-gqf8-8rwg']
rubygem-= base64-0.1.1: ['GHSA-x67x-vg9m-65c3', 'RUSTSEC-2017-0004']<= br>rubygem-bcrypt-3.1.18: ['GHSA-5wg4-74h6-q47v']
rubygem-bootst= rap-sass-3.4.1: ['GHSA-9v3m-8fp8-mj99']
rubygem-cairo-1.17.8: [&= #39;OSV-2023-298']
rubygem-cookiejar-0.3.3: ['GHSA-h452-7996-h45= h']
rubygem-cose-1.2.0: ['GHSA-746g-3gfp-hfhw']
rubygem-d= ebug-1.7.2: ['GHSA-9vvw-cc9w-f27h', 'GHSA-gxpj-cx7g-858c']<= br>rubygem-foreman-0.87.2: ['GHSA-xm28-fw2x-fqv2']
rubygem-gener= ator-0.0.1: ['GHSA-6c65-xcf5-299x', 'GHSA-h6gg-fvf5-qgwf', = 'GHSA-w3g5-2848-2v8r', 'RUSTSEC-2019-0020', 'RUSTSEC-20= 20-0151']
rubygem-globalid-0.4.2: ['GHSA-23c2-gwp5-pxw9']rubygem-gon-rails5-6.2.1: ['GHSA-78vq-9j56-wrfr']
rubygem-gon-r= ails50-6.2.1: ['GHSA-78vq-9j56-wrfr']
rubygem-httparty-0.20.0: [= 'GHSA-5pq7-52mg-hr42']
rubygem-ini-0.1.1: ['GHSA-qqgx-2p2h-9= c37']
rubygem-json-2.6.3: ['GHSA-3c6g-pvg8-gqw2']
rubygem= -json1-1.8.6: ['GHSA-3c6g-pvg8-gqw2', 'GHSA-jphg-qwrw-7w9g'= ]
rubygem-kramdown1-1.17.0: ['GHSA-52p9-v744-mwjj', 'GHSA-mq= m2-cgpr-p4m6']
rubygem-mqtt-0.6.0: ['GHSA-hg78-c92r-hvwr']rubygem-mustache-1.1.1: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37= jv-2c58']
rubygem-mustache0-0.99.8: ['GHSA-3233-rgx3-c2wh', = 'GHSA-w3w8-37jv-2c58']
rubygem-mysql-2.9.1_1: ['GHSA-5f7m-mm= pc-qhh4']
rubygem-netaddr-2.0.1: ['GHSA-49pj-69vf-c689']
= rubygem-nokogiri111-1.11.7_2: ['GHSA-2qc6-mcvw-92cw', 'GHSA-2rr= 5-8q37-2w7h', 'GHSA-cgx6-hpwq-fhv5', 'GHSA-crjr-9rc5-ghw8&#= 39;, 'GHSA-fq42-c5rg-92c2', 'GHSA-gx8x-g87m-h5q6', 'GHS= A-pxvg-2qj5-37jq', 'GHSA-v6gp-9mmm-c6p5', 'GHSA-xh29-r2w5-w= x8m', 'GHSA-xxx9-3xcr-gjj3']
rubygem-omniauth1-1.9.2_1: [= 9;GHSA-ww4x-rwq6-qpgf']
rubygem-oxidized-web-0.13.1_4: ['GHSA-8q= wh-rm6c-jv96']
rubygem-pdfkit-0.8.7: ['GHSA-rhwx-hjx2-x4qr']=
rubygem-pg-1.4.6: ['GHSA-wc9v-mj63-m9g5']
rubygem-pg13-1.3.5= : ['GHSA-wc9v-mj63-m9g5']
rubygem-pghero-rails5-2.8.3: ['GHS= A-vf99-xw26-86g5']
rubygem-pghero-rails50-2.8.3: ['GHSA-vf99-xw2= 6-86g5']
rubygem-rack16-1.6.13: ['GHSA-3h57-hmj3-gj3p', '= ;GHSA-5f9h-9pjv-v6j7', 'GHSA-65f5-mfpf-vfhj', 'GHSA-hxqx-xw= vh-44m2', 'GHSA-j6w9-fv6q-3q52', 'GHSA-wq4h-7r42-5hrr']=
rubygem-rails4-4.2.11.3: ['GHSA-579w-22j4-4749', 'GHSA-7wjx= -3g7j-8584', 'GHSA-9chr-4fjh-5rgw', 'GHSA-cfjv-5498-mph5= 9;, 'GHSA-ch3h-j2vf-95pv']
rubygem-rails5-5.1.7_2: ['GHSA-57= 9w-22j4-4749', 'GHSA-7wjx-3g7j-8584', 'GHSA-9chr-4fjh-5rgw&= #39;, 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GH= SA-wh98-p28r-vrc9']
rubygem-rails50-5.0.7.2_2: ['GHSA-579w-22j4-= 4749', 'GHSA-7wjx-3g7j-8584', 'GHSA-9chr-4fjh-5rgw', &#= 39;GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GHSA-wh98-= p28r-vrc9']
rubygem-rails52-5.2.8.1: ['GHSA-579w-22j4-4749',= 'GHSA-9chr-4fjh-5rgw']
rubygem-sanitize-6.0.0: ['GHSA-fw3g-= 2h3j-qmm7']
rubygem-simple_form-4.0.0: ['GHSA-r74q-gxcg-73hx'= ;]
rubygem-sinatra1-1.4.8: ['GHSA-qp49-3pvw-x4m5']
rubygem-te= rser-1.0.2: ['GHSA-4wf5-vphf-c2xc']
rubygem-terser11-1.1.14: [&#= 39;GHSA-4wf5-vphf-c2xc']
rubygem-time-0.2.2: ['GHSA-wcg3-cvx6-73= 96']
rubygem-tweetstream-2.6.1_1: ['GHSA-6hrm-jqp3-64cv']rubygem-twitter-stream-0.1.16_2: ['GHSA-p6p8-q4pj-f74m']
rubyge= m-unicode-0.4.4.4: ['GHSA-qjf4-7642-c57p']
rubygem-useragent-0.1= 6.10: ['GHSA-pjmx-9xr3-82qr']
send-0.3_4: ['GHSA-jgqf-hwc5-h= h37', 'GHSA-pgv6-jrvv-75jp', 'GHSA-xwg4-93c6-3h42']
= showdown-0.6_3: ['GHSA-h6mq-3cj6-h738']
svg2png-0.1.3_6: ['G= HSA-mpp5-2x55-49xw']
tidy-html5-5.8.0_2: ['OSV-2020-1427', &= #39;OSV-2020-1440']
ua_parser-core-0.5.0_1: ['GHSA-fx7m-j728-mjw= 3']
unicorn-1.0.2: ['OSV-2020-1373', 'OSV-2020-1409'= , 'OSV-2020-1410', 'OSV-2020-2180', 'OSV-2020-2305'= , 'OSV-2020-802', 'OSV-2020-825', 'OSV-2020-837', &= #39;OSV-2021-1046', 'OSV-2021-1230', 'OSV-2021-307', &#= 39;OSV-2021-345', 'PYSEC-2021-868']
vmd-1.9.4: ['GHSA-pf= r3-87q3-65rc']
wabt-1.0.32: ['OSV-2021-1241', 'OSV-2022-= 1248', 'OSV-2022-1261', 'OSV-2022-1263', 'OSV-2022-= 916']
wasm3-0.5.0_2: ['GHSA-77fq-4xf5-hph4', 'GHSA-crf8-= h2wq-2h9x']
webbrowser-0.3: ['GHSA-m589-mv4q-p7rj']
zh-op= encc-1.0.5_3: ['GHSA-9qh2-6fxg-9m4g']

Best regards,

= Le=C2=A0mar. 4 avr. 2023 =C3=A0=C2=A012:31, Hubert Tournier <hubert.tournier@gmail.com> a =C3= =A9crit=C2=A0:
<= div dir=3D"auto">I=E2=80=99m OK to do the OSV tool.
=
Best regards,

Le=C2=A0mar. 4 avr. 2023 =C3= =A0 11:58, void <void@f= -m.fm> a =C3=A9crit=C2=A0:
On Sun, Mar 26, 2023 at 12:16:53PM +0200, Hubert Tournier= wrote:
>Hello,
>
>While working on pipinfo <https://github.com/HubTou/pipinfo<= /a>>, an
>alternative Python packages management tool, I noticed that some Python=
>packages installed as FreeBSD ports where marked as vulnerable by the P= ython
>Packaging Authority
><https://warehouse.pyp= a.io/api-reference/json.html#known-vulnerabilities>
>but not in FreeBSD VuXML <https://www.vuxml.org/freeb= sd/index.html> ports
>security database.
>
>So I made a pysec2vuxml <https://github.com/HubTou/pysec= 2vuxml> tool to
>check the 4.000+ FreeBSD ports for Python packages and found 45 of them=
>vulnerable and unreported
><https://github.com/HubTou/pysec2v= uxml/blob/main/results.txt>.
>
>I started producing new VuXML entries
><https://github.com/HubTo= u/pysec2vuxml/blob/main/vuxml_newentries.txt> for
>these vulnerable ports. *Please tell me if it's worth pursuing this= effort?*
>
>In order to verify if these vulnerable ports where also marked as
>vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and= got
>carried away writing a whole utility, vuxml
><https://github.com/HubTou/vuxml>, to demonstrate its u= se. This could be of
>general interest to some of you?
>
>Best regards,
>
>PS: this approach could be extended to Rust crates, Ruby gems and so on=
>with the vulnerabilities described in the OSV <https://osv.dev/>...
+1 ^^^ really good idea

Probably best to ask in freebsd-hackers@ as devs are likely to
read this there
--
--00000000000016d42605fa03bd94--