From nobody Wed Apr 19 23:17:56 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q1xXs0hDdz45Nbf for ; Wed, 19 Apr 2023 23:18:05 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gold.funkthat.com [IPv6:2001:470:800b::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Q1xXr3Ypgz3P1D for ; Wed, 19 Apr 2023 23:18:04 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Authentication-Results: mx1.freebsd.org; none Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 33JNHvrS019035 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 19 Apr 2023 16:17:57 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 33JNHuiI019034; Wed, 19 Apr 2023 16:17:56 -0700 (PDT) (envelope-from jmg) Date: Wed, 19 Apr 2023 16:17:56 -0700 From: John-Mark Gurney To: infoomatic Cc: freebsd-security@FreeBSD.org Subject: Re: geli key derivation function Message-ID: <20230419231756.GM99783@funkthat.com> Mail-Followup-To: infoomatic , freebsd-security@FreeBSD.org References: List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Wed, 19 Apr 2023 16:17:57 -0700 (PDT) X-Rspamd-Queue-Id: 4Q1xXr3Ypgz3P1D X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N infoomatic wrote this message on Wed, Apr 19, 2023 at 11:47 +0200: > After reading [1] I would like to approach the developers to improve > gelis KDF. Currently PKCS#5 is used (RFC 2898 from the year 2000), it > would great if some developers agree that this could be improved and > hopefully they have time to implement this. What is the best way to make > this kind of feature request? > [1] https://mjg59.dreamwidth.org/66429.html I read it too, and after a bit of research on argon2, decided not to do anything about it. There's nothing in that post that provides proof that PBKDF2 was broken, it wasn't even implied. Just because it's old doesn't mean that it's insecure, etc. Like HMAC-SHA-1 is still considered secure despite the fact that SHA-1 is broken[1]. One issues is that the function needs to work at boot, so large memory allocations are not an option, also, at boot, only one thread of execution is available, so can't use threads... If anything, we should make it easier to increase the number of rounds, that is, add an option (by default enabled) that on attach, if the decryption took less than 1.5s, that geli immediately reencrypts the key w/ a larger number of rounds (and overwrites the backup)... This would also make it easier to upgrade KDFs if a newer/better one is added. [1] https://crypto.stackexchange.com/questions/26510/why-is-hmac-sha1-still-considered-secure -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From nobody Sun Apr 23 16:53:57 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q4Dr51Rngz4693c for ; Sun, 23 Apr 2023 16:54:13 +0000 (UTC) (envelope-from hubert.tournier@gmail.com) Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Q4Dr41wdXz4VP6 for ; Sun, 23 Apr 2023 16:54:12 +0000 (UTC) (envelope-from hubert.tournier@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20221208 header.b=iiNAy9hb; spf=pass (mx1.freebsd.org: domain of hubert.tournier@gmail.com designates 2a00:1450:4864:20::32d as permitted sender) smtp.mailfrom=hubert.tournier@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-wm1-x32d.google.com with SMTP id 5b1f17b1804b1-3f1957e80a2so53540775e9.1 for ; Sun, 23 Apr 2023 09:54:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1682268848; x=1684860848; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=fhzGSWuWBPfLdefK4vwFlyXS7bWNqRbohVryC6ddWsg=; b=iiNAy9hbdQxEVHiYes3nRM3o2+9b2gQH8PPG28p5YrgFwM2ROzooSj6P21LMUTpr0J 6Hug2oGtV2VCJLnoEB99WXqXlFNECdzmvpSPyp4+zKbecqfKmCCaOZ7TZv5t7xEirsAq RrQs8ILfLuLJ1ChW0ijEHZg7ru2xkrj/MqufYGbvKKW6Rhi5fORRJ0WGR3i6im84/Seo 9I9a2wtAoUrMnzpljobC3SEn6BsXv99eTcCtWD/69IkDJVP8aqkDU5V/qtzYHcuUEKy8 TCfl40rdtzAQlM3h0qlPT3AooMlzrnKAwyn6CMnNNQJ8f6jLQ0Tk5GeBab9cdp8LdJBe Lpjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682268848; x=1684860848; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fhzGSWuWBPfLdefK4vwFlyXS7bWNqRbohVryC6ddWsg=; b=jL6yjeycCyARDOgbrW/9xgmed+96uHxRXn9Ns40avqr4pl/rWDhZI5m9v6pgoiVv1t VwOyWQH0FP8zKX9+zKxgxLGiMcJXaWbKe8K6AwhppNAXQCilzJ6gCp6I+PkQg0NMVYuR HEw08Q5NQ5IenNP7IAHadFuGwFhYiWd9MAwGWrePZRbfbSaRrvt507sZwDZ77WjeiS0J 6Cr6IrvKbEbk/f8Eklbb6lbxBWTLUVgP8svfIWlib8tlMAL2H4E3pPbkfr4RTb3jXaP4 H4IQYVYjKC+a4tIph8WQ0pXLUtqI7yvLi41TRzVBXvA+D9qFex3G3OcneHHmFUGuRSDP G3Ag== X-Gm-Message-State: AAQBX9dvYJGFcPJg8Cp9O4meziiNgimxhg3qBg5U0bHNq3jpYzsQq64i Aiz6IoRN/F3CTbdXIhqIFqjOQKDxqcw+SNYfaj18vb0g2GI= X-Google-Smtp-Source: AKy350ZCNJE1CgpVSKqB/mn/scLfjFNOX9jF3phjsblr0UZ3EvLRcpFRoPBTaI5Rr+vcG+AY04k3MEHpZ4/qKbfkL7M= X-Received: by 2002:a05:600c:34cf:b0:3f1:7510:62e8 with SMTP id d15-20020a05600c34cf00b003f1751062e8mr5924667wmq.3.1682268847787; Sun, 23 Apr 2023 09:54:07 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Hubert Tournier Date: Sun, 23 Apr 2023 18:53:57 +0200 Message-ID: Subject: Re: 45 vulnerable ports unreported in VuXML To: FreeBSD-security@freebsd.org Content-Type: multipart/alternative; boundary="00000000000016d42605fa03bd94" X-Spamd-Result: default: False [-3.90 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-0.996]; NEURAL_HAM_SHORT(-0.91)[-0.907]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20221208]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; RCPT_COUNT_ONE(0.00)[1]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::32d:from]; ARC_NA(0.00)[]; TAGGED_FROM(0.00)[]; MLMMJ_DEST(0.00)[FreeBSD-security@freebsd.org]; DKIM_TRACE(0.00)[gmail.com:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_DN_NONE(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4Q4Dr41wdXz4VP6 X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N --00000000000016d42605fa03bd94 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello, Here's a little progress report on the osv2vuxml tool development. I'm now up to the point where I can identify vulnerable (current version) FreeBSD ports from all the OSV "ecosystems". But I still have to check which are not yet reported in VuXML and generate an entry skeleton for them, like I did with pysec2vuxml. I think I'll be able to publish something in a couple of weeks... Note that identifying a vulnerable port implies either finding a matching name (not always reliable with port prefixes / flavours / versions in port suffixes) or a matching source web site (better IMO, but there are 2576 ports out of 33565 that don't have that information). I may find more vulnerable ports in the future by delving deeper into the data, especially if I can find matches with software packaged for Linux, Debian, Alpine and Android ecosystems... Also naming of FreeBSD ports for Go gems, Rust crates and others seem to be less consistent than for Python, Ruby and PHP packages. So here's what's reported so far: Ecosystem / Language / vulnerabilities / affected ports / vulns for affected ports ---------------------------------------------------------------------------= ----------------------------- Go / Go / 1360 / 6 /24 Hex / Erlang / 21 / 0 / 0 Maven / Java / 3462 / 8 / 8 NuGet / .Net / 267 / 3 / 3 Packagist / PHP / 1484 / 0 / 0 Pub / Dart / 5 / 0 / 0 PyPI / Python / 3955 / 61 / 166 RubyGems / Ruby / 669 / 45 / 118 crates.io / Rust / 1133 / 14 / 33 npm / JavaScript / 2962 / 57 / 83 ---------------------------------------------------------------------------= ----------------------------- GSD / - / 7 / 0 / 0 GitHub Actions / - / 8 / 0 / 0 OSS-Fuzz / - / 2870 / 21 / 85 UVI / - / 1 / 0 / 0 ---------------------------------------------------------------------------= ----------------------------- 215 affected ports in their current version, counting for 520 vulnerabilities And here' a preliminary detailed list of vulnerable ports with associated vulnerabilities IDs (there might be a few false positive inside!). Hopefully, it includes many already reported vulnerabilities in VuXML (at least many of those listed for Python have already been reported with pysec2vuxml): 2bsd-diff-2.11.1_1: ['GHSA-h6ch-v84p-w6p9'] R-cran-ini-0.3.1: ['GHSA-qqgx-2p2h-9c37'] R-cran-mime-0.12: ['GHSA-wrvr-8mpx-r7pp'] R-cran-rio-0.5.29: ['GHSA-8rc5-mr4f-m243'] R-cran-xopen-1.0.0: ['GHSA-74wf-cwjg-9cf2'] b2-1.3.8_1: ['GHSA-8wr4-2wm6-w3pr', 'PYSEC-2022-32'] bcrypt-1.1: ['GHSA-5wg4-74h6-q47v'] blitz-1.0.2_4: ['GHSA-5888-ffcr-r425'] capstone4-4.0.2: ['OSV-2020-438'] comrak-0.15.0_3: ['GHSA-5r3x-p7xx-x6q5', 'GHSA-8hqf-xjwp-p67v', 'GHSA-xxmq-4vph-956w'] containers-0.9.0_2: ['GHSA-cv7x-6rc6-pq5v', 'RUSTSEC-2021-0010'] coreos-etcd-2.3.8_18: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-wffx', 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', 'GHSA-m332-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2'] coreos-etcd31-3.1.20_17: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-wffx', 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', 'GHSA-m332-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2'] coreos-etcd32-3.2.32_15: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-wffx', 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', 'GHSA-m332-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2'] date-3.0.1: ['GHSA-qg54-694p-wgpp'] deluge-2.0.3_3,2: ['GHSA-5c8p-qhch-qhx6', 'PYSEC-2022-256'] deluge-cli-2.0.3_4: ['GHSA-5c8p-qhch-qhx6', 'PYSEC-2022-256'] dojo-1.12.2: ['GHSA-536q-8gxx-m782', 'GHSA-jxfh-8wgv-vfr2', 'GHSA-m8gw-hjpr-rjv7'] draco-3d-compression-1.5.6: ['OSV-2020-778', 'OSV-2020-800', 'OSV-2020-824', 'OSV-2020-828', 'OSV-2021-1082'] espeak-ng-1.51.1_3: ['OSV-2021-1024', 'OSV-2021-1041', 'OSV-2021-1110', 'OSV-2021-1141', 'OSV-2021-1157', 'OSV-2021-765', 'OSV-2021-787', 'OSV-2021-802', 'OSV-2022-462', 'OSV-2022-519', 'OSV-2022-530'] flatbuffers205-2.0.5: ['GHSA-3jch-9qgp-4844', 'RUSTSEC-2021-0122'] go-protobuf-1.3.2_12,1: ['GHSA-77rm-9x9h-xj3g', 'GHSA-jwvw-v7c5-m82h', 'GHSA-mh6h-f25p-98f8'] got-0.87: ['GHSA-pfrx-2q88-qq97'] gstreamer1-1.22.0_1: ['OSV-2022-1168'] gtar-1.34: ['GHSA-3jfq-g458-7qm9', 'GHSA-5955-9wpr-37jh', 'GHSA-9r2w-394v-53qc', 'GHSA-gfjr-3jmm-4g9v', 'GHSA-j44m-qm6p-hp7m', 'GHSA-qq89-hq3f-393p', 'GHSA-r628-mhmh-qjhw'] guake-3.4.0_3: ['GHSA-7x48-7466-3g33', 'PYSEC-2022-165'] harfbuzz-7.1.0: ['OSV-2023-137', 'OSV-2023-170', 'OSV-2023-222', 'OSV-2023-323'] harp-0.6.0_3: ['GHSA-46hv-7769-j7rx', 'GHSA-6fmm-47qc-p4m4'] jbig2dec-0.19: ['OSV-2020-822'] leptonica-1.82.0: ['OSV-2022-69', 'OSV-2022-91'] libnotify-0.8.2: ['GHSA-6898-wx94-8jq8'] libraw-0.21.1: ['OSV-2022-819', 'OSV-2023-184', 'OSV-2023-90'] libredwg-0.12.4: ['OSV-2021-1086', 'OSV-2021-620', 'OSV-2021-771', 'OSV-2022-129', 'OSV-2022-363'] libsass-3.6.5: ['OSV-2020-1420', 'OSV-2020-862', 'OSV-2021-508', 'OSV-2022-896'] libucl-0.8.2: ['OSV-2021-1261', 'OSV-2022-494', 'OSV-2023-321', 'OSV-2023-78'] log4net-1.2.10_3: ['GHSA-2cwj-8chv-9pp9'] lua51-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v'] lua51-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2'] lua52-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v'] lua52-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2'] lua53-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v'] lua53-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2'] lua54-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v'] lua54-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2'] mingw32-libyaml-0.1.6_2: ['GHSA-m75h-cghq-c8h5'] mitmproxy-7.0.4_2: ['GHSA-gcx2-gvj7-pxv3', 'PYSEC-2022-170'] mongoose-5.6: ['GHSA-8687-vv9j-hgph', 'GHSA-f825-f98c-gj3g'] nlohmann-json-3.11.2: ['GHSA-3c6g-pvg8-gqw2'] ocaml-mysql-1.2.4: ['GHSA-fvq6-55gv-jx9f'] opa-0.41.0_11: ['GHSA-2m4x-4q9j-w97g', 'GHSA-f524-rf33-2jjr'] open-1.4: ['GHSA-28xh-wpgr-7fm8'] opencv-4.6.0_6: ['OSV-2022-394', 'GHSA-f698-m2v9-5fh3', 'GHSA-mc7w-4cjf-c973'] opensc-0.23.0: ['OSV-2022-1175', 'OSV-2022-1188', 'OSV-2022-1201', 'OSV-2022-1232'] p5-mem-0.4.7: ['GHSA-4xcv-9jjx-gfj3'] php80-opencc-0.0.0.20201211: ['GHSA-9qh2-6fxg-9m4g'] php80-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq', 'GHSA-mh5c-679w-hh4r'] php80-pecl-mustache-0.9.3: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58'] php80-pecl-ssh2-1.3.1: ['GHSA-652h-xwhf-q4h6'] php81-opencc-0.0.0.20201211: ['GHSA-9qh2-6fxg-9m4g'] php81-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq', 'GHSA-mh5c-679w-hh4r'] php81-pecl-mustache-0.9.3: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58'] php81-pecl-ssh2-1.3.1: ['GHSA-652h-xwhf-q4h6'] php82-opencc-0.0.0.20201211: ['GHSA-9qh2-6fxg-9m4g'] php82-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq', 'GHSA-mh5c-679w-hh4r'] php82-pecl-mustache-0.9.3: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58'] php82-pecl-ssh2-1.3.1: ['GHSA-652h-xwhf-q4h6'] pidgin-libnotify-0.14_15: ['GHSA-6898-wx94-8jq8'] postgresql13-semver-0.31.2: ['GHSA-x6fg-f45m-jf5q'] protobuf25-2.5.0_5: ['GHSA-77rm-9x9h-xj3g', 'GHSA-jwvw-v7c5-m82h', 'GHSA-8gq9-2x98-w8hf', 'PYSEC-2017-65', 'PYSEC-2022-48', 'GHSA-mh6h-f25p-98f8', 'RUSTSEC-2019-0003'] py27-setuptools44-44.1.1: ['GHSA-r9hx-vwmv-q579'] py310-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579'] py310-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579'] py311-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579'] py311-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579'] py37-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579'] py37-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579'] py38-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579'] py38-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579'] py39-Flask-Cors-3.0.8: ['GHSA-xc3p-ff3m-f46v'] py39-WsgiDAV-3.1.0: ['GHSA-xx6g-jj35-pxjv'] py39-ansible-7.1.0: ['PYSEC-2020-220', 'PYSEC-2020-221', 'PYSEC-2021-125'] py39-arrow-1.2.3: ['GHSA-h588-76vg-prgj', 'GHSA-qgrp-8f3v-q85p', 'GHSA-r7cj-wmwv-hfw5', 'RUSTSEC-2021-0116', 'RUSTSEC-2021-0117', 'RUSTSEC-2021-0118'] py39-bcrypt-3.2.2: ['GHSA-5wg4-74h6-q47v'] py39-beaker-1.12.1: ['PYSEC-2020-216'] py39-branca-0.6.0: ['GHSA-c9rv-3jmq-527w', 'RUSTSEC-2020-0075'] py39-capstone-4.0.2: ['OSV-2020-438'] py39-celery-4.4.7: ['GHSA-q4xr-rc97-m4xx', 'PYSEC-2021-858'] py39-cinder-12.0.10_22: ['GHSA-7h75-hwxx-qpgc', 'GHSA-qhch-g8qr-p497', 'PYSEC-2020-228'] py39-codecov-2.1.12: ['GHSA-5q88-cjfq-g2mh', 'GHSA-mh2h-6j8q-x246', 'GHSA-xp63-6vf5-xf3v'] py39-configobj-5.0.8: ['GHSA-c33w-24p9-8m24'] py39-cryptography-3.4.8_1,1: ['GHSA-w7pp-m8wf-vj6r', 'GHSA-x4qr-2fvf-3mr5'] py39-django-photologue-3.15_1: ['GHSA-287q-jfcp-9vhv'] py39-django-tinymce-3.6.1: ['GHSA-r8hm-w5f7-wj39'] py39-dparse-0.5.1: ['GHSA-8fg9-p83m-x5pq', 'PYSEC-2022-301'] py39-flask-caching-1.9.0: ['GHSA-656c-6cxf-hvcv', 'PYSEC-2021-13'] py39-flask-security-3.0.0_1: ['GHSA-cg8c-gc2j-2wf7'] py39-flatbuffers-2.0: ['GHSA-3jch-9qgp-4844', 'RUSTSEC-2021-0122'] py39-gstreamer1-1.20.5: ['OSV-2022-1089', 'OSV-2022-1168'] py39-httpie-3.0.2: ['GHSA-6pc9-xqrg-wfqw', 'GHSA-9w4w-cpc8-h2fq', 'PYSEC-2022-167', 'PYSEC-2022-34'] py39-httpx013-0.13.3_3: ['GHSA-h8pj-cxx2-jfg2', 'PYSEC-2022-183'] py39-impacket-0.9.17_1: ['GHSA-mj63-64x7-57xf', 'PYSEC-2021-17'] py39-jmespath-1.0.1: ['GHSA-5c5f-7vfq-3732'] py39-joblib-1.1.0: ['GHSA-6hrg-qmvc-2xh8', 'PYSEC-2022-288'] py39-json5-0.9.11: ['GHSA-9c47-m6qq-7p4h'] py39-jsonpointer-2.0: ['GHSA-282f-qqgm-c34q'] py39-kerberos-1.3.1: ['PYSEC-2017-49'] py39-lmdb-0.97: ['PYSEC-2019-236', 'PYSEC-2019-237', 'PYSEC-2019-238', 'PYSEC-2019-239', 'PYSEC-2019-240'] py39-markdown2-2.3.6: ['GHSA-fv3h-8x5j-pvgq', 'GHSA-jr9p-r423-9m2r', 'PYSEC-2020-65', 'PYSEC-2021-20'] py39-mime-0.1.0: ['GHSA-wrvr-8mpx-r7pp'] py39-nbdime-3.1.1_1: ['GHSA-p6rw-44q7-3fw4'] py39-nicotine-plus-3.2.0_1: ['GHSA-p4v2-r99v-wjc2'] py39-parse-1.19.0: ['GHSA-wvh7-5p38-2qfc'] py39-psutil121-1.2.1_2: ['GHSA-qfc5-mcwq-26q8', 'PYSEC-2019-41'] py39-py-1.11.0: ['GHSA-w596-4wvx-j9j6', 'PYSEC-2022-42969'] py39-pycares-4.1.2: ['GHSA-c58j-88f5-h53f'] py39-pygments-25-2.5.2: ['GHSA-9w8r-397f-prfh', 'GHSA-pq64-v7f5-gqh8', 'PYSEC-2021-140', 'PYSEC-2021-141'] py39-pyinstaller-3.5_1: ['GHSA-7fcj-pq9j-wh2r', 'PYSEC-2020-175', 'PYSEC-2020-194'] py39-pymatgen-2022.7.19: ['GHSA-5jqp-885w-xj32'] py39-pysaml24-4.9.0_1: ['GHSA-5p3x-r448-pc62', 'GHSA-f4g9-h89h-jgv9', 'GHSA-qf7v-8hj3-4xw7', 'PYSEC-2020-94', 'PYSEC-2021-48', 'PYSEC-2021-49'] py39-redis2-2.10.6_2: ['GHSA-24wv-mv5m-xv4h', 'GHSA-8fww-64cx-x8p5', 'GHSA-35q2-47q7-3pc3'] py39-redis3-3.5.3: ['GHSA-24wv-mv5m-xv4h', 'GHSA-8fww-64cx-x8p5'] py39-rencode-1.0.6_1: ['GHSA-gh8j-2pgf-x458', 'PYSEC-2021-345'] py39-semver-2.13.0: ['GHSA-x6fg-f45m-jf5q'] py39-sentry-sdk-1.5.12: ['GHSA-29pr-6jr8-q5jm'] py39-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579'] py39-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579'] py39-slixmpp-1.7.1: ['GHSA-q6cq-m9gm-6q2f'] py39-sqlalchemy10-1.0.14: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-vxgf', 'PYSEC-2019-123', 'PYSEC-2019-124', 'PYSEC-2019-53', 'PYSEC-2019-54'] py39-sqlalchemy11-1.1.18: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-vxgf', 'PYSEC-2019-123', 'PYSEC-2019-124', 'PYSEC-2019-53', 'PYSEC-2019-54'] py39-sqlalchemy12-1.2.19: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-vxgf'] py39-suds-1.1.2: ['PYSEC-2013-32'] py39-tensorflow-2.9.1_7: ['GHSA-27rc-728f-x5w2', 'GHSA-368v-7v32-52fx', 'GHSA-49rq-hwc3-x77w', 'GHSA-54pp-c6pp-7fpx', 'GHSA-558h-mq8x-7q9g', 'GHSA-5w96-866f-6rm8', 'GHSA-647v-r7qq-24fh', 'GHSA-64jg-wjww-7c5w', 'GHSA-66vq-54fq-6jvv', 'GHSA-67pf-62xr-q35m', 'GHSA-68v3-g9cm-rmm6', 'GHSA-6hg6-5c2q-7rcr', 'GHSA-6wfh-89q8-44jq', 'GHSA-6x99-gv2v-q76v', 'GHSA-7jvm-xxmr-v5cw', 'GHSA-7x4v-9gxg-9hwj', 'GHSA-8fvv-46hw-vpg3', 'GHSA-8w5g-3wcv-9g2j', 'GHSA-93vr-9q9m-pj8p', 'GHSA-94mm-g2mv-8p7r', 'GHSA-cg88-rpvp-cjv5', 'GHSA-cqvq-fvhr-v6hc', 'GHSA-f2w8-jw48-fr7j', 'GHSA-f49c-87jh-g47q', 'GHSA-f637-vh3r-vfh2', 'GHSA-fqm2-gh8w-gr68', 'GHSA-frqp-wp83-qggv', 'GHSA-fxgc-95xx-grvq', 'GHSA-g9fm-r5mm-rf9f', 'GHSA-gf97-q72m-7579', 'GHSA-gq2j-cr96-gvqx', 'GHSA-gw97-ff7c-9v96', 'GHSA-h246-cgh4-7475', 'GHSA-h6q3-vv32-2cq5', 'GHSA-hq7g-wwwp-q46h', 'GHSA-j5w9-hmfh-4cr6', 'GHSA-jq6x-99hj-q636', 'GHSA-mgmh-g2v6-mqw5', 'GHSA-mv77-9g28-cwg3', 'GHSA-pf36-r9c6-h97j', 'GHSA-qjqc-vqcf-5qvj', 'GHSA-rcf8-g8jv-vg6p', 'GHSA-rjx6-v474-2ch9', 'GHSA-rmg2-f698-wq35', 'GHSA-xf83-q765-xm6m', 'GHSA-xvwp-h6jv-7472', 'GHSA-xxcj-rhqg-m46g'] py39-treq-20.9.0: ['GHSA-fhpf-pp6p-55qc'] py39-unicorn-1.0.2: ['OSV-2020-1373', 'OSV-2020-1409', 'OSV-2020-1410', 'OSV-2020-2180', 'OSV-2020-2305', 'OSV-2020-802', 'OSV-2020-825', 'OSV-2020-837', 'OSV-2021-1046', 'OSV-2021-1230', 'OSV-2021-307', 'OSV-2021-345', 'PYSEC-2021-868'] py39-wagtail-4.2_2: ['GHSA-33pv-vcgh-jfg9', 'GHSA-5286-f2rf-35c2'] py39-whois-0.9.13: ['GHSA-97jv-c342-5xhc'] radare2-5.8.4: ['OSV-2022-1137', 'OSV-2022-993', 'OSV-2023-35', 'OSV-2023-96'] rubygem-actionpack4-4.2.11.3: ['GHSA-7wjx-3g7j-8584', 'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-hjg4-8q5f-x6fm', 'GHSA-p84v-45xj-wwqj'] rubygem-actionpack5-5.1.7_1: ['GHSA-7wjx-3g7j-8584', 'GHSA-8727-m6gj-mc37', 'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-hjg4-8q5f-x6fm', 'GHSA-jp5v-5gx4-jmj9', 'GHSA-p84v-45xj-wwqj', 'GHSA-wh98-p28r-vrc9'] rubygem-actionpack50-5.0.7.2_2: ['GHSA-7wjx-3g7j-8584', 'GHSA-8727-m6gj-mc37', 'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-hjg4-8q5f-x6fm', 'GHSA-jp5v-5gx4-jmj9', 'GHSA-p84v-45xj-wwqj', 'GHSA-wh98-p28r-vrc9'] rubygem-actionpack52-5.2.8.1_1: ['GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-p84v-45xj-wwqj'] rubygem-actionpack60-6.0.6.1: ['GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-p84v-45xj-wwqj'] rubygem-actionpack61-6.1.7.3: ['GHSA-9chr-4fjh-5rgw'] rubygem-actionview4-4.2.11.3: ['GHSA-65cv-r6x7-79hv', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv'] rubygem-actionview5-5.1.7: ['GHSA-65cv-r6x7-79hv', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GHSA-xq5j-gw7f-jgj8'] rubygem-actionview50-5.0.7.2: ['GHSA-65cv-r6x7-79hv', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GHSA-xq5j-gw7f-jgj8'] rubygem-activerecord4-4.2.11.3: ['GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749'] rubygem-activerecord5-5.1.7: ['GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749', 'GHSA-8hc4-xxm3-5ppp'] rubygem-activerecord50-5.0.7.2: ['GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749', 'GHSA-8hc4-xxm3-5ppp'] rubygem-activerecord52-5.2.8.1: ['GHSA-579w-22j4-4749'] rubygem-activerecord60-6.0.6.1: ['GHSA-579w-22j4-4749'] rubygem-activeresource4-4.1.0: ['GHSA-46j2-xjgp-jrfm'] rubygem-activesupport4-4.2.11.3: ['GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j'] rubygem-activesupport5-5.1.7_1: ['GHSA-2p68-f74v-9wc6', 'GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j'] rubygem-activesupport50-5.0.7.2_1: ['GHSA-2p68-f74v-9wc6', 'GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j'] rubygem-activesupport52-5.2.8.1: ['GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j'] rubygem-activesupport60-6.0.6.1: ['GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j'] rubygem-async-2.5.0: ['GHSA-fwr7-v2mv-hh25'] rubygem-aws-sdk2-2.11.632: ['GHSA-rrc9-gqf8-8rwg'] rubygem-base64-0.1.1: ['GHSA-x67x-vg9m-65c3', 'RUSTSEC-2017-0004'] rubygem-bcrypt-3.1.18: ['GHSA-5wg4-74h6-q47v'] rubygem-bootstrap-sass-3.4.1: ['GHSA-9v3m-8fp8-mj99'] rubygem-cairo-1.17.8: ['OSV-2023-298'] rubygem-cookiejar-0.3.3: ['GHSA-h452-7996-h45h'] rubygem-cose-1.2.0: ['GHSA-746g-3gfp-hfhw'] rubygem-debug-1.7.2: ['GHSA-9vvw-cc9w-f27h', 'GHSA-gxpj-cx7g-858c'] rubygem-foreman-0.87.2: ['GHSA-xm28-fw2x-fqv2'] rubygem-generator-0.0.1: ['GHSA-6c65-xcf5-299x', 'GHSA-h6gg-fvf5-qgwf', 'GHSA-w3g5-2848-2v8r', 'RUSTSEC-2019-0020', 'RUSTSEC-2020-0151'] rubygem-globalid-0.4.2: ['GHSA-23c2-gwp5-pxw9'] rubygem-gon-rails5-6.2.1: ['GHSA-78vq-9j56-wrfr'] rubygem-gon-rails50-6.2.1: ['GHSA-78vq-9j56-wrfr'] rubygem-httparty-0.20.0: ['GHSA-5pq7-52mg-hr42'] rubygem-ini-0.1.1: ['GHSA-qqgx-2p2h-9c37'] rubygem-json-2.6.3: ['GHSA-3c6g-pvg8-gqw2'] rubygem-json1-1.8.6: ['GHSA-3c6g-pvg8-gqw2', 'GHSA-jphg-qwrw-7w9g'] rubygem-kramdown1-1.17.0: ['GHSA-52p9-v744-mwjj', 'GHSA-mqm2-cgpr-p4m6'] rubygem-mqtt-0.6.0: ['GHSA-hg78-c92r-hvwr'] rubygem-mustache-1.1.1: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58'] rubygem-mustache0-0.99.8: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58'] rubygem-mysql-2.9.1_1: ['GHSA-5f7m-mmpc-qhh4'] rubygem-netaddr-2.0.1: ['GHSA-49pj-69vf-c689'] rubygem-nokogiri111-1.11.7_2: ['GHSA-2qc6-mcvw-92cw', 'GHSA-2rr5-8q37-2w7h', 'GHSA-cgx6-hpwq-fhv5', 'GHSA-crjr-9rc5-ghw8', 'GHSA-fq42-c5rg-92c2', 'GHSA-gx8x-g87m-h5q6', 'GHSA-pxvg-2qj5-37jq', 'GHSA-v6gp-9mmm-c6p5', 'GHSA-xh29-r2w5-wx8m', 'GHSA-xxx9-3xcr-gjj3'] rubygem-omniauth1-1.9.2_1: ['GHSA-ww4x-rwq6-qpgf'] rubygem-oxidized-web-0.13.1_4: ['GHSA-8qwh-rm6c-jv96'] rubygem-pdfkit-0.8.7: ['GHSA-rhwx-hjx2-x4qr'] rubygem-pg-1.4.6: ['GHSA-wc9v-mj63-m9g5'] rubygem-pg13-1.3.5: ['GHSA-wc9v-mj63-m9g5'] rubygem-pghero-rails5-2.8.3: ['GHSA-vf99-xw26-86g5'] rubygem-pghero-rails50-2.8.3: ['GHSA-vf99-xw26-86g5'] rubygem-rack16-1.6.13: ['GHSA-3h57-hmj3-gj3p', 'GHSA-5f9h-9pjv-v6j7', 'GHSA-65f5-mfpf-vfhj', 'GHSA-hxqx-xwvh-44m2', 'GHSA-j6w9-fv6q-3q52', 'GHSA-wq4h-7r42-5hrr'] rubygem-rails4-4.2.11.3: ['GHSA-579w-22j4-4749', 'GHSA-7wjx-3g7j-8584', 'GHSA-9chr-4fjh-5rgw', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv'] rubygem-rails5-5.1.7_2: ['GHSA-579w-22j4-4749', 'GHSA-7wjx-3g7j-8584', 'GHSA-9chr-4fjh-5rgw', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GHSA-wh98-p28r-vrc9'] rubygem-rails50-5.0.7.2_2: ['GHSA-579w-22j4-4749', 'GHSA-7wjx-3g7j-8584', 'GHSA-9chr-4fjh-5rgw', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GHSA-wh98-p28r-vrc9'] rubygem-rails52-5.2.8.1: ['GHSA-579w-22j4-4749', 'GHSA-9chr-4fjh-5rgw'] rubygem-sanitize-6.0.0: ['GHSA-fw3g-2h3j-qmm7'] rubygem-simple_form-4.0.0: ['GHSA-r74q-gxcg-73hx'] rubygem-sinatra1-1.4.8: ['GHSA-qp49-3pvw-x4m5'] rubygem-terser-1.0.2: ['GHSA-4wf5-vphf-c2xc'] rubygem-terser11-1.1.14: ['GHSA-4wf5-vphf-c2xc'] rubygem-time-0.2.2: ['GHSA-wcg3-cvx6-7396'] rubygem-tweetstream-2.6.1_1: ['GHSA-6hrm-jqp3-64cv'] rubygem-twitter-stream-0.1.16_2: ['GHSA-p6p8-q4pj-f74m'] rubygem-unicode-0.4.4.4: ['GHSA-qjf4-7642-c57p'] rubygem-useragent-0.16.10: ['GHSA-pjmx-9xr3-82qr'] send-0.3_4: ['GHSA-jgqf-hwc5-hh37', 'GHSA-pgv6-jrvv-75jp', 'GHSA-xwg4-93c6-3h42'] showdown-0.6_3: ['GHSA-h6mq-3cj6-h738'] svg2png-0.1.3_6: ['GHSA-mpp5-2x55-49xw'] tidy-html5-5.8.0_2: ['OSV-2020-1427', 'OSV-2020-1440'] ua_parser-core-0.5.0_1: ['GHSA-fx7m-j728-mjw3'] unicorn-1.0.2: ['OSV-2020-1373', 'OSV-2020-1409', 'OSV-2020-1410', 'OSV-2020-2180', 'OSV-2020-2305', 'OSV-2020-802', 'OSV-2020-825', 'OSV-2020-837', 'OSV-2021-1046', 'OSV-2021-1230', 'OSV-2021-307', 'OSV-2021-345', 'PYSEC-2021-868'] vmd-1.9.4: ['GHSA-pfr3-87q3-65rc'] wabt-1.0.32: ['OSV-2021-1241', 'OSV-2022-1248', 'OSV-2022-1261', 'OSV-2022-1263', 'OSV-2022-916'] wasm3-0.5.0_2: ['GHSA-77fq-4xf5-hph4', 'GHSA-crf8-h2wq-2h9x'] webbrowser-0.3: ['GHSA-m589-mv4q-p7rj'] zh-opencc-1.0.5_3: ['GHSA-9qh2-6fxg-9m4g'] Best regards, Le mar. 4 avr. 2023 =C3=A0 12:31, Hubert Tournier a =C3=A9crit : > I=E2=80=99m OK to do the OSV tool. > > Best regards, > > Le mar. 4 avr. 2023 =C3=A0 11:58, void a =C3=A9crit : > >> On Sun, Mar 26, 2023 at 12:16:53PM +0200, Hubert Tournier wrote: >> >Hello, >> > >> >While working on pipinfo , an >> >alternative Python packages management tool, I noticed that some Python >> >packages installed as FreeBSD ports where marked as vulnerable by the >> Python >> >Packaging Authority >> >> > >> >but not in FreeBSD VuXML >> ports >> >security database. >> > >> >So I made a pysec2vuxml tool to >> >check the 4.000+ FreeBSD ports for Python packages and found 45 of them >> >vulnerable and unreported >> >. >> > >> >I started producing new VuXML entries >> > >> for >> >these vulnerable ports. *Please tell me if it's worth pursuing this >> effort?* >> > >> >In order to verify if these vulnerable ports where also marked as >> >vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and >> got >> >carried away writing a whole utility, vuxml >> >, to demonstrate its use. This could >> be of >> >general interest to some of you? >> > >> >Best regards, >> > >> >PS: this approach could be extended to Rust crates, Ruby gems and so on >> >with the vulnerabilities described in the OSV ... >> >> +1 ^^^ really good idea >> >> Probably best to ask in freebsd-hackers@ as devs are likely to >> read this there >> -- >> > --00000000000016d42605fa03bd94 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello,

Here's a littl= e progress report on the osv2vuxml tool development.
I'm now u= p to the point where I can identify vulnerable (current version) FreeBSD po= rts from all the OSV "ecosystems".
But I still have to c= heck which are not yet reported in VuXML and generate an entry skeleton for= them, like I did with pysec2vuxml.
I think I'll be able to publish something in a couple of weeks...<= br>
Note that identifying a vulnerable port implies either fi= nding a matching name (not always reliable with port prefixes / flavours / = versions in port suffixes) or a matching source web site (better IMO, but t= here are 2576 ports out of 33565 that don't have that information).
=
I may find more vulnerable ports in the future by delving deeper= into the data, especially if I can find matches with software packaged for= Linux, Debian, Alpine and Android ecosystems...
Also naming = of FreeBSD ports for Go gems, Rust crates and others seem to be less consis= tent than for Python, Ruby and PHP packages.

<= /div>
So here's what's reported so far:

Ecosyste= m / Language / vulnerabilities / affected ports / vulns for affected ports= =C2=A0
----------------------------------------------------------------= ----------------------------------------
Go / Go / 1360 / 6 /24
He= x / Erlang / 21 / 0 / 0
Maven / Java / 3462 / 8 / 8
NuGet / .N= et / 267 / 3 / 3
Packagist / PHP / 1484 / 0 / 0
Pub / Dart / 5 /= 0 / 0
PyPI / Python / 3955 / 61 / 166
RubyGems / Ruby / 669 / 45 = / 118
crates.io / Rust / 1133 / 14 / 3= 3
npm / JavaScript / 2962 / 57 / 83
----------------------------------------------------------------------= ----------------------------------
GSD / - / 7 / 0 / 0
GitHub Actions / - / 8 / 0 / 0
OSS-Fuzz / - / 2870 / 21 / 85
UVI / - / 1 / 0 / 0
-----------------------------------------= ---------------------------------------------------------------
2= 15 affected ports in their current version, counting for 520 vulnerabilitie= s

And here' a preliminary detailed list of vulnerable= ports with associated vulnerabilities IDs (there might be a few false posi= tive inside!).
Hopefully, it includes many already reported vulnerabilit= ies in VuXML (at least many of those listed for Python have already been re= ported with pysec2vuxml):

2bsd-diff-2.11.1_1: ['GHSA-h6ch-v84p-w6p9']
R-cran-ini-0.3.1= : ['GHSA-qqgx-2p2h-9c37']
R-cran-mime-0.12: ['GHSA-wrvr-8mpx= -r7pp']
R-cran-rio-0.5.29: ['GHSA-8rc5-mr4f-m243']
R-cran= -xopen-1.0.0: ['GHSA-74wf-cwjg-9cf2']
b2-1.3.8_1: ['GHSA-8wr= 4-2wm6-w3pr', 'PYSEC-2022-32']
bcrypt-1.1: ['GHSA-5wg4-7= 4h6-q47v']
blitz-1.0.2_4: ['GHSA-5888-ffcr-r425']
capston= e4-4.0.2: ['OSV-2020-438']
comrak-0.15.0_3: ['GHSA-5r3x-p7xx= -x6q5', 'GHSA-8hqf-xjwp-p67v', 'GHSA-xxmq-4vph-956w']containers-0.9.0_2: ['GHSA-cv7x-6rc6-pq5v', 'RUSTSEC-2021-001= 0']
coreos-etcd-2.3.8_18: ['GHSA-4993-m7g5-r9hh', 'GHSA-= 528j-9r78-wffx', 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mr= c', 'GHSA-m332-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2']
co= reos-etcd31-3.1.20_17: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-= wffx', 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', &#= 39;GHSA-m332-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2']
coreos-etcd3= 2-3.2.32_15: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-wffx',= 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', 'GHSA-m3= 32-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2']
date-3.0.1: ['GHSA= -qg54-694p-wgpp']
deluge-2.0.3_3,2: ['GHSA-5c8p-qhch-qhx6', = 'PYSEC-2022-256']
deluge-cli-2.0.3_4: ['GHSA-5c8p-qhch-qhx6&= #39;, 'PYSEC-2022-256']
dojo-1.12.2: ['GHSA-536q-8gxx-m782&#= 39;, 'GHSA-jxfh-8wgv-vfr2', 'GHSA-m8gw-hjpr-rjv7']
draco= -3d-compression-1.5.6: ['OSV-2020-778', 'OSV-2020-800', = 9;OSV-2020-824', 'OSV-2020-828', 'OSV-2021-1082']
es= peak-ng-1.51.1_3: ['OSV-2021-1024', 'OSV-2021-1041', 'O= SV-2021-1110', 'OSV-2021-1141', 'OSV-2021-1157', 'O= SV-2021-765', 'OSV-2021-787', 'OSV-2021-802', 'OSV-= 2022-462', 'OSV-2022-519', 'OSV-2022-530']
flatbuffe= rs205-2.0.5: ['GHSA-3jch-9qgp-4844', 'RUSTSEC-2021-0122']go-protobuf-1.3.2_12,1: ['GHSA-77rm-9x9h-xj3g', 'GHSA-jwvw-v7= c5-m82h', 'GHSA-mh6h-f25p-98f8']
got-0.87: ['GHSA-pfrx-2= q88-qq97']
gstreamer1-1.22.0_1: ['OSV-2022-1168']
gtar-1.= 34: ['GHSA-3jfq-g458-7qm9', 'GHSA-5955-9wpr-37jh', 'GHS= A-9r2w-394v-53qc', 'GHSA-gfjr-3jmm-4g9v', 'GHSA-j44m-qm6p-h= p7m', 'GHSA-qq89-hq3f-393p', 'GHSA-r628-mhmh-qjhw']
= guake-3.4.0_3: ['GHSA-7x48-7466-3g33', 'PYSEC-2022-165']harfbuzz-7.1.0: ['OSV-2023-137', 'OSV-2023-170', 'OSV-= 2023-222', 'OSV-2023-323']
harp-0.6.0_3: ['GHSA-46hv-776= 9-j7rx', 'GHSA-6fmm-47qc-p4m4']
jbig2dec-0.19: ['OSV-202= 0-822']
leptonica-1.82.0: ['OSV-2022-69', 'OSV-2022-91&#= 39;]
libnotify-0.8.2: ['GHSA-6898-wx94-8jq8']
libraw-0.21.1: = ['OSV-2022-819', 'OSV-2023-184', 'OSV-2023-90']
= libredwg-0.12.4: ['OSV-2021-1086', 'OSV-2021-620', 'OSV= -2021-771', 'OSV-2022-129', 'OSV-2022-363']
libsass-= 3.6.5: ['OSV-2020-1420', 'OSV-2020-862', 'OSV-2021-508&= #39;, 'OSV-2022-896']
libucl-0.8.2: ['OSV-2021-1261', &#= 39;OSV-2022-494', 'OSV-2023-321', 'OSV-2023-78']
log= 4net-1.2.10_3: ['GHSA-2cwj-8chv-9pp9']
lua51-bcrypt-2.3.1: ['= ;GHSA-5wg4-74h6-q47v']
lua51-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2= ']
lua52-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v']
lua52-json= -1.3.4_1: ['GHSA-3c6g-pvg8-gqw2']
lua53-bcrypt-2.3.1: ['GHSA= -5wg4-74h6-q47v']
lua53-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2'= ]
lua54-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v']
lua54-json-1.3.= 4_1: ['GHSA-3c6g-pvg8-gqw2']
mingw32-libyaml-0.1.6_2: ['GHSA= -m75h-cghq-c8h5']
mitmproxy-7.0.4_2: ['GHSA-gcx2-gvj7-pxv3',= 'PYSEC-2022-170']
mongoose-5.6: ['GHSA-8687-vv9j-hgph',= 'GHSA-f825-f98c-gj3g']
nlohmann-json-3.11.2: ['GHSA-3c6g-pv= g8-gqw2']
ocaml-mysql-1.2.4: ['GHSA-fvq6-55gv-jx9f']
opa-= 0.41.0_11: ['GHSA-2m4x-4q9j-w97g', 'GHSA-f524-rf33-2jjr']open-1.4: ['GHSA-28xh-wpgr-7fm8']
opencv-4.6.0_6: ['OSV-20= 22-394', 'GHSA-f698-m2v9-5fh3', 'GHSA-mc7w-4cjf-c973']<= br>opensc-0.23.0: ['OSV-2022-1175', 'OSV-2022-1188', 'O= SV-2022-1201', 'OSV-2022-1232']
p5-mem-0.4.7: ['GHSA-4xc= v-9jjx-gfj3']
php80-opencc-0.0.0.20201211: ['GHSA-9qh2-6fxg-9m4g= ']
php80-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq', 'G= HSA-mh5c-679w-hh4r']
php80-pecl-mustache-0.9.3: ['GHSA-3233-rgx3= -c2wh', 'GHSA-w3w8-37jv-2c58']
php80-pecl-ssh2-1.3.1: ['= GHSA-652h-xwhf-q4h6']
php81-opencc-0.0.0.20201211: ['GHSA-9qh2-6= fxg-9m4g']
php81-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq'= , 'GHSA-mh5c-679w-hh4r']
php81-pecl-mustache-0.9.3: ['GHSA-3= 233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58']
php81-pecl-ssh2-1.3.1= : ['GHSA-652h-xwhf-q4h6']
php82-opencc-0.0.0.20201211: ['GHS= A-9qh2-6fxg-9m4g']
php82-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5= crq', 'GHSA-mh5c-679w-hh4r']
php82-pecl-mustache-0.9.3: [= 9;GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58']
php82-pecl-ss= h2-1.3.1: ['GHSA-652h-xwhf-q4h6']
pidgin-libnotify-0.14_15: [= 9;GHSA-6898-wx94-8jq8']
postgresql13-semver-0.31.2: ['GHSA-x6fg-= f45m-jf5q']
protobuf25-2.5.0_5: ['GHSA-77rm-9x9h-xj3g', '= ;GHSA-jwvw-v7c5-m82h', 'GHSA-8gq9-2x98-w8hf', 'PYSEC-2017-6= 5', 'PYSEC-2022-48', 'GHSA-mh6h-f25p-98f8', 'RUSTSE= C-2019-0003']
py27-setuptools44-44.1.1: ['GHSA-r9hx-vwmv-q579= 9;]
py310-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579']
py310-se= tuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579']
py311-setuptools-63= .1.0: ['GHSA-r9hx-vwmv-q579']
py311-setuptools58-58.5.3_2: ['= ;GHSA-r9hx-vwmv-q579']
py37-setuptools-63.1.0: ['GHSA-r9hx-vwmv-= q579']
py37-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579']py38-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579']
py38-setuptool= s58-58.5.3_2: ['GHSA-r9hx-vwmv-q579']
py39-Flask-Cors-3.0.8: [&#= 39;GHSA-xc3p-ff3m-f46v']
py39-WsgiDAV-3.1.0: ['GHSA-xx6g-jj35-px= jv']
py39-ansible-7.1.0: ['PYSEC-2020-220', 'PYSEC-2020-= 221', 'PYSEC-2021-125']
py39-arrow-1.2.3: ['GHSA-h588-76= vg-prgj', 'GHSA-qgrp-8f3v-q85p', 'GHSA-r7cj-wmwv-hfw5',= 'RUSTSEC-2021-0116', 'RUSTSEC-2021-0117', 'RUSTSEC-202= 1-0118']
py39-bcrypt-3.2.2: ['GHSA-5wg4-74h6-q47v']
py39-= beaker-1.12.1: ['PYSEC-2020-216']
py39-branca-0.6.0: ['GHSA-= c9rv-3jmq-527w', 'RUSTSEC-2020-0075']
py39-capstone-4.0.2: [= 'OSV-2020-438']
py39-celery-4.4.7: ['GHSA-q4xr-rc97-m4xx'= ;, 'PYSEC-2021-858']
py39-cinder-12.0.10_22: ['GHSA-7h75-hwx= x-qpgc', 'GHSA-qhch-g8qr-p497', 'PYSEC-2020-228']
py= 39-codecov-2.1.12: ['GHSA-5q88-cjfq-g2mh', 'GHSA-mh2h-6j8q-x246= ', 'GHSA-xp63-6vf5-xf3v']
py39-configobj-5.0.8: ['GHSA-c= 33w-24p9-8m24']
py39-cryptography-3.4.8_1,1: ['GHSA-w7pp-m8wf-vj= 6r', 'GHSA-x4qr-2fvf-3mr5']
py39-django-photologue-3.15_1: [= 'GHSA-287q-jfcp-9vhv']
py39-django-tinymce-3.6.1: ['GHSA-r8h= m-w5f7-wj39']
py39-dparse-0.5.1: ['GHSA-8fg9-p83m-x5pq', = 9;PYSEC-2022-301']
py39-flask-caching-1.9.0: ['GHSA-656c-6cxf-hv= cv', 'PYSEC-2021-13']
py39-flask-security-3.0.0_1: ['GHS= A-cg8c-gc2j-2wf7']
py39-flatbuffers-2.0: ['GHSA-3jch-9qgp-4844&#= 39;, 'RUSTSEC-2021-0122']
py39-gstreamer1-1.20.5: ['OSV-2022= -1089', 'OSV-2022-1168']
py39-httpie-3.0.2: ['GHSA-6pc9-= xqrg-wfqw', 'GHSA-9w4w-cpc8-h2fq', 'PYSEC-2022-167', &#= 39;PYSEC-2022-34']
py39-httpx013-0.13.3_3: ['GHSA-h8pj-cxx2-jfg2= ', 'PYSEC-2022-183']
py39-impacket-0.9.17_1: ['GHSA-mj63= -64x7-57xf', 'PYSEC-2021-17']
py39-jmespath-1.0.1: ['GHS= A-5c5f-7vfq-3732']
py39-joblib-1.1.0: ['GHSA-6hrg-qmvc-2xh8'= , 'PYSEC-2022-288']
py39-json5-0.9.11: ['GHSA-9c47-m6qq-7p4h= ']
py39-jsonpointer-2.0: ['GHSA-282f-qqgm-c34q']
py39-ker= beros-1.3.1: ['PYSEC-2017-49']
py39-lmdb-0.97: ['PYSEC-2019-= 236', 'PYSEC-2019-237', 'PYSEC-2019-238', 'PYSEC-20= 19-239', 'PYSEC-2019-240']
py39-markdown2-2.3.6: ['GHSA-= fv3h-8x5j-pvgq', 'GHSA-jr9p-r423-9m2r', 'PYSEC-2020-65'= , 'PYSEC-2021-20']
py39-mime-0.1.0: ['GHSA-wrvr-8mpx-r7pp= 9;]
py39-nbdime-3.1.1_1: ['GHSA-p6rw-44q7-3fw4']
py39-nicotin= e-plus-3.2.0_1: ['GHSA-p4v2-r99v-wjc2']
py39-parse-1.19.0: ['= ;GHSA-wvh7-5p38-2qfc']
py39-psutil121-1.2.1_2: ['GHSA-qfc5-mcwq-= 26q8', 'PYSEC-2019-41']
py39-py-1.11.0: ['GHSA-w596-4wvx= -j9j6', 'PYSEC-2022-42969']
py39-pycares-4.1.2: ['GHSA-c= 58j-88f5-h53f']
py39-pygments-25-2.5.2: ['GHSA-9w8r-397f-prfh= 9;, 'GHSA-pq64-v7f5-gqh8', 'PYSEC-2021-140', 'PYSEC-202= 1-141']
py39-pyinstaller-3.5_1: ['GHSA-7fcj-pq9j-wh2r', '= ;PYSEC-2020-175', 'PYSEC-2020-194']
py39-pymatgen-2022.7.19:= ['GHSA-5jqp-885w-xj32']
py39-pysaml24-4.9.0_1: ['GHSA-5p3x-= r448-pc62', 'GHSA-f4g9-h89h-jgv9', 'GHSA-qf7v-8hj3-4xw7'= ;, 'PYSEC-2020-94', 'PYSEC-2021-48', 'PYSEC-2021-49'= ;]
py39-redis2-2.10.6_2: ['GHSA-24wv-mv5m-xv4h', 'GHSA-8fww-= 64cx-x8p5', 'GHSA-35q2-47q7-3pc3']
py39-redis3-3.5.3: ['= GHSA-24wv-mv5m-xv4h', 'GHSA-8fww-64cx-x8p5']
py39-rencode-1.= 0.6_1: ['GHSA-gh8j-2pgf-x458', 'PYSEC-2021-345']
py39-se= mver-2.13.0: ['GHSA-x6fg-f45m-jf5q']
py39-sentry-sdk-1.5.12: [&#= 39;GHSA-29pr-6jr8-q5jm']
py39-setuptools-63.1.0: ['GHSA-r9hx-vwm= v-q579']
py39-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579']=
py39-slixmpp-1.7.1: ['GHSA-q6cq-m9gm-6q2f']
py39-sqlalchemy1= 0-1.0.14: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-vxgf', &#= 39;PYSEC-2019-123', 'PYSEC-2019-124', 'PYSEC-2019-53', = 'PYSEC-2019-54']
py39-sqlalchemy11-1.1.18: ['GHSA-38fc-9xqv-= 7f7q', 'GHSA-887w-45rq-vxgf', 'PYSEC-2019-123', 'PY= SEC-2019-124', 'PYSEC-2019-53', 'PYSEC-2019-54']
py3= 9-sqlalchemy12-1.2.19: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-= vxgf']
py39-suds-1.1.2: ['PYSEC-2013-32']
py39-tensorflow= -2.9.1_7: ['GHSA-27rc-728f-x5w2', 'GHSA-368v-7v32-52fx', &#= 39;GHSA-49rq-hwc3-x77w', 'GHSA-54pp-c6pp-7fpx', 'GHSA-558h-= mq8x-7q9g', 'GHSA-5w96-866f-6rm8', 'GHSA-647v-r7qq-24fh'= ;, 'GHSA-64jg-wjww-7c5w', 'GHSA-66vq-54fq-6jvv', 'GHSA-= 67pf-62xr-q35m', 'GHSA-68v3-g9cm-rmm6', 'GHSA-6hg6-5c2q-7rc= r', 'GHSA-6wfh-89q8-44jq', 'GHSA-6x99-gv2v-q76v', '= GHSA-7jvm-xxmr-v5cw', 'GHSA-7x4v-9gxg-9hwj', 'GHSA-8fvv-46h= w-vpg3', 'GHSA-8w5g-3wcv-9g2j', 'GHSA-93vr-9q9m-pj8p', = 'GHSA-94mm-g2mv-8p7r', 'GHSA-cg88-rpvp-cjv5', 'GHSA-cqv= q-fvhr-v6hc', 'GHSA-f2w8-jw48-fr7j', 'GHSA-f49c-87jh-g47q&#= 39;, 'GHSA-f637-vh3r-vfh2', 'GHSA-fqm2-gh8w-gr68', 'GHS= A-frqp-wp83-qggv', 'GHSA-fxgc-95xx-grvq', 'GHSA-g9fm-r5mm-r= f9f', 'GHSA-gf97-q72m-7579', 'GHSA-gq2j-cr96-gvqx', = 9;GHSA-gw97-ff7c-9v96', 'GHSA-h246-cgh4-7475', 'GHSA-h6q3-v= v32-2cq5', 'GHSA-hq7g-wwwp-q46h', 'GHSA-j5w9-hmfh-4cr6'= , 'GHSA-jq6x-99hj-q636', 'GHSA-mgmh-g2v6-mqw5', 'GHSA-m= v77-9g28-cwg3', 'GHSA-pf36-r9c6-h97j', 'GHSA-qjqc-vqcf-5qvj= ', 'GHSA-rcf8-g8jv-vg6p', 'GHSA-rjx6-v474-2ch9', 'G= HSA-rmg2-f698-wq35', 'GHSA-xf83-q765-xm6m', 'GHSA-xvwp-h6jv= -7472', 'GHSA-xxcj-rhqg-m46g']
py39-treq-20.9.0: ['GHSA-= fhpf-pp6p-55qc']
py39-unicorn-1.0.2: ['OSV-2020-1373', '= OSV-2020-1409', 'OSV-2020-1410', 'OSV-2020-2180', '= OSV-2020-2305', 'OSV-2020-802', 'OSV-2020-825', 'OS= V-2020-837', 'OSV-2021-1046', 'OSV-2021-1230', 'OSV= -2021-307', 'OSV-2021-345', 'PYSEC-2021-868']
py39-w= agtail-4.2_2: ['GHSA-33pv-vcgh-jfg9', 'GHSA-5286-f2rf-35c2'= ]
py39-whois-0.9.13: ['GHSA-97jv-c342-5xhc']
radare2-5.8.4: [= 'OSV-2022-1137', 'OSV-2022-993', 'OSV-2023-35', = 9;OSV-2023-96']
rubygem-actionpack4-4.2.11.3: ['GHSA-7wjx-3g7j-8= 584', 'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', = 9;GHSA-hjg4-8q5f-x6fm', 'GHSA-p84v-45xj-wwqj']
rubygem-actio= npack5-5.1.7_1: ['GHSA-7wjx-3g7j-8584', 'GHSA-8727-m6gj-mc37= 9;, 'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA= -hjg4-8q5f-x6fm', 'GHSA-jp5v-5gx4-jmj9', 'GHSA-p84v-45xj-ww= qj', 'GHSA-wh98-p28r-vrc9']
rubygem-actionpack50-5.0.7.2_2: = ['GHSA-7wjx-3g7j-8584', 'GHSA-8727-m6gj-mc37', 'GHSA-8x= ww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-hjg4-8q5f-x6fm&= #39;, 'GHSA-jp5v-5gx4-jmj9', 'GHSA-p84v-45xj-wwqj', 'GH= SA-wh98-p28r-vrc9']
rubygem-actionpack52-5.2.8.1_1: ['GHSA-8xww-= x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-p84v-45xj-wwqj'= ;]
rubygem-actionpack60-6.0.6.1: ['GHSA-8xww-x3g3-6jcv', 'GH= SA-9chr-4fjh-5rgw', 'GHSA-p84v-45xj-wwqj']
rubygem-actionpac= k61-6.1.7.3: ['GHSA-9chr-4fjh-5rgw']
rubygem-actionview4-4.2.11.= 3: ['GHSA-65cv-r6x7-79hv', 'GHSA-cfjv-5498-mph5', 'GHSA= -ch3h-j2vf-95pv']
rubygem-actionview5-5.1.7: ['GHSA-65cv-r6x7-79= hv', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', '= ;GHSA-xq5j-gw7f-jgj8']
rubygem-actionview50-5.0.7.2: ['GHSA-65cv= -r6x7-79hv', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv= 9;, 'GHSA-xq5j-gw7f-jgj8']
rubygem-activerecord4-4.2.11.3: ['= ;GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749']
rubygem-active= record5-5.1.7: ['GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749'= ;, 'GHSA-8hc4-xxm3-5ppp']
rubygem-activerecord50-5.0.7.2: ['= GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749', 'GHSA-8hc4-xxm= 3-5ppp']
rubygem-activerecord52-5.2.8.1: ['GHSA-579w-22j4-4749&#= 39;]
rubygem-activerecord60-6.0.6.1: ['GHSA-579w-22j4-4749']
= rubygem-activeresource4-4.1.0: ['GHSA-46j2-xjgp-jrfm']
rubygem-a= ctivesupport4-4.2.11.3: ['GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw= -pm9j']
rubygem-activesupport5-5.1.7_1: ['GHSA-2p68-f74v-9wc6= 9;, 'GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j']
rubyge= m-activesupport50-5.0.7.2_1: ['GHSA-2p68-f74v-9wc6', 'GHSA-j6gc= -792m-qgm2', 'GHSA-pj73-v5mw-pm9j']
rubygem-activesupport52-= 5.2.8.1: ['GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j']
= rubygem-activesupport60-6.0.6.1: ['GHSA-j6gc-792m-qgm2', 'GHSA-= pj73-v5mw-pm9j']
rubygem-async-2.5.0: ['GHSA-fwr7-v2mv-hh25'= ]
rubygem-aws-sdk2-2.11.632: ['GHSA-rrc9-gqf8-8rwg']
rubygem-= base64-0.1.1: ['GHSA-x67x-vg9m-65c3', 'RUSTSEC-2017-0004']<= br>rubygem-bcrypt-3.1.18: ['GHSA-5wg4-74h6-q47v']
rubygem-bootst= rap-sass-3.4.1: ['GHSA-9v3m-8fp8-mj99']
rubygem-cairo-1.17.8: [&= #39;OSV-2023-298']
rubygem-cookiejar-0.3.3: ['GHSA-h452-7996-h45= h']
rubygem-cose-1.2.0: ['GHSA-746g-3gfp-hfhw']
rubygem-d= ebug-1.7.2: ['GHSA-9vvw-cc9w-f27h', 'GHSA-gxpj-cx7g-858c']<= br>rubygem-foreman-0.87.2: ['GHSA-xm28-fw2x-fqv2']
rubygem-gener= ator-0.0.1: ['GHSA-6c65-xcf5-299x', 'GHSA-h6gg-fvf5-qgwf', = 'GHSA-w3g5-2848-2v8r', 'RUSTSEC-2019-0020', 'RUSTSEC-20= 20-0151']
rubygem-globalid-0.4.2: ['GHSA-23c2-gwp5-pxw9']rubygem-gon-rails5-6.2.1: ['GHSA-78vq-9j56-wrfr']
rubygem-gon-r= ails50-6.2.1: ['GHSA-78vq-9j56-wrfr']
rubygem-httparty-0.20.0: [= 'GHSA-5pq7-52mg-hr42']
rubygem-ini-0.1.1: ['GHSA-qqgx-2p2h-9= c37']
rubygem-json-2.6.3: ['GHSA-3c6g-pvg8-gqw2']
rubygem= -json1-1.8.6: ['GHSA-3c6g-pvg8-gqw2', 'GHSA-jphg-qwrw-7w9g'= ]
rubygem-kramdown1-1.17.0: ['GHSA-52p9-v744-mwjj', 'GHSA-mq= m2-cgpr-p4m6']
rubygem-mqtt-0.6.0: ['GHSA-hg78-c92r-hvwr']rubygem-mustache-1.1.1: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37= jv-2c58']
rubygem-mustache0-0.99.8: ['GHSA-3233-rgx3-c2wh', = 'GHSA-w3w8-37jv-2c58']
rubygem-mysql-2.9.1_1: ['GHSA-5f7m-mm= pc-qhh4']
rubygem-netaddr-2.0.1: ['GHSA-49pj-69vf-c689']
= rubygem-nokogiri111-1.11.7_2: ['GHSA-2qc6-mcvw-92cw', 'GHSA-2rr= 5-8q37-2w7h', 'GHSA-cgx6-hpwq-fhv5', 'GHSA-crjr-9rc5-ghw8&#= 39;, 'GHSA-fq42-c5rg-92c2', 'GHSA-gx8x-g87m-h5q6', 'GHS= A-pxvg-2qj5-37jq', 'GHSA-v6gp-9mmm-c6p5', 'GHSA-xh29-r2w5-w= x8m', 'GHSA-xxx9-3xcr-gjj3']
rubygem-omniauth1-1.9.2_1: [= 9;GHSA-ww4x-rwq6-qpgf']
rubygem-oxidized-web-0.13.1_4: ['GHSA-8q= wh-rm6c-jv96']
rubygem-pdfkit-0.8.7: ['GHSA-rhwx-hjx2-x4qr']=
rubygem-pg-1.4.6: ['GHSA-wc9v-mj63-m9g5']
rubygem-pg13-1.3.5= : ['GHSA-wc9v-mj63-m9g5']
rubygem-pghero-rails5-2.8.3: ['GHS= A-vf99-xw26-86g5']
rubygem-pghero-rails50-2.8.3: ['GHSA-vf99-xw2= 6-86g5']
rubygem-rack16-1.6.13: ['GHSA-3h57-hmj3-gj3p', '= ;GHSA-5f9h-9pjv-v6j7', 'GHSA-65f5-mfpf-vfhj', 'GHSA-hxqx-xw= vh-44m2', 'GHSA-j6w9-fv6q-3q52', 'GHSA-wq4h-7r42-5hrr']=
rubygem-rails4-4.2.11.3: ['GHSA-579w-22j4-4749', 'GHSA-7wjx= -3g7j-8584', 'GHSA-9chr-4fjh-5rgw', 'GHSA-cfjv-5498-mph5= 9;, 'GHSA-ch3h-j2vf-95pv']
rubygem-rails5-5.1.7_2: ['GHSA-57= 9w-22j4-4749', 'GHSA-7wjx-3g7j-8584', 'GHSA-9chr-4fjh-5rgw&= #39;, 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GH= SA-wh98-p28r-vrc9']
rubygem-rails50-5.0.7.2_2: ['GHSA-579w-22j4-= 4749', 'GHSA-7wjx-3g7j-8584', 'GHSA-9chr-4fjh-5rgw', &#= 39;GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GHSA-wh98-= p28r-vrc9']
rubygem-rails52-5.2.8.1: ['GHSA-579w-22j4-4749',= 'GHSA-9chr-4fjh-5rgw']
rubygem-sanitize-6.0.0: ['GHSA-fw3g-= 2h3j-qmm7']
rubygem-simple_form-4.0.0: ['GHSA-r74q-gxcg-73hx'= ;]
rubygem-sinatra1-1.4.8: ['GHSA-qp49-3pvw-x4m5']
rubygem-te= rser-1.0.2: ['GHSA-4wf5-vphf-c2xc']
rubygem-terser11-1.1.14: [&#= 39;GHSA-4wf5-vphf-c2xc']
rubygem-time-0.2.2: ['GHSA-wcg3-cvx6-73= 96']
rubygem-tweetstream-2.6.1_1: ['GHSA-6hrm-jqp3-64cv']rubygem-twitter-stream-0.1.16_2: ['GHSA-p6p8-q4pj-f74m']
rubyge= m-unicode-0.4.4.4: ['GHSA-qjf4-7642-c57p']
rubygem-useragent-0.1= 6.10: ['GHSA-pjmx-9xr3-82qr']
send-0.3_4: ['GHSA-jgqf-hwc5-h= h37', 'GHSA-pgv6-jrvv-75jp', 'GHSA-xwg4-93c6-3h42']
= showdown-0.6_3: ['GHSA-h6mq-3cj6-h738']
svg2png-0.1.3_6: ['G= HSA-mpp5-2x55-49xw']
tidy-html5-5.8.0_2: ['OSV-2020-1427', &= #39;OSV-2020-1440']
ua_parser-core-0.5.0_1: ['GHSA-fx7m-j728-mjw= 3']
unicorn-1.0.2: ['OSV-2020-1373', 'OSV-2020-1409'= , 'OSV-2020-1410', 'OSV-2020-2180', 'OSV-2020-2305'= , 'OSV-2020-802', 'OSV-2020-825', 'OSV-2020-837', &= #39;OSV-2021-1046', 'OSV-2021-1230', 'OSV-2021-307', &#= 39;OSV-2021-345', 'PYSEC-2021-868']
vmd-1.9.4: ['GHSA-pf= r3-87q3-65rc']
wabt-1.0.32: ['OSV-2021-1241', 'OSV-2022-= 1248', 'OSV-2022-1261', 'OSV-2022-1263', 'OSV-2022-= 916']
wasm3-0.5.0_2: ['GHSA-77fq-4xf5-hph4', 'GHSA-crf8-= h2wq-2h9x']
webbrowser-0.3: ['GHSA-m589-mv4q-p7rj']
zh-op= encc-1.0.5_3: ['GHSA-9qh2-6fxg-9m4g']

Best regards,

= Le=C2=A0mar. 4 avr. 2023 =C3=A0=C2=A012:31, Hubert Tournier <hubert.tournier@gmail.com> a =C3= =A9crit=C2=A0:
<= div dir=3D"auto">I=E2=80=99m OK to do the OSV tool.
=
Best regards,

Le=C2=A0mar. 4 avr. 2023 =C3= =A0 11:58, void <void@f= -m.fm> a =C3=A9crit=C2=A0:
On Sun, Mar 26, 2023 at 12:16:53PM +0200, Hubert Tournier= wrote:
>Hello,
>
>While working on pipinfo <https://github.com/HubTou/pipinfo<= /a>>, an
>alternative Python packages management tool, I noticed that some Python=
>packages installed as FreeBSD ports where marked as vulnerable by the P= ython
>Packaging Authority
><https://warehouse.pyp= a.io/api-reference/json.html#known-vulnerabilities>
>but not in FreeBSD VuXML <https://www.vuxml.org/freeb= sd/index.html> ports
>security database.
>
>So I made a pysec2vuxml <https://github.com/HubTou/pysec= 2vuxml> tool to
>check the 4.000+ FreeBSD ports for Python packages and found 45 of them=
>vulnerable and unreported
><https://github.com/HubTou/pysec2v= uxml/blob/main/results.txt>.
>
>I started producing new VuXML entries
><https://github.com/HubTo= u/pysec2vuxml/blob/main/vuxml_newentries.txt> for
>these vulnerable ports. *Please tell me if it's worth pursuing this= effort?*
>
>In order to verify if these vulnerable ports where also marked as
>vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and= got
>carried away writing a whole utility, vuxml
><https://github.com/HubTou/vuxml>, to demonstrate its u= se. This could be of
>general interest to some of you?
>
>Best regards,
>
>PS: this approach could be extended to Rust crates, Ruby gems and so on=
>with the vulnerabilities described in the OSV <https://osv.dev/>...
+1 ^^^ really good idea

Probably best to ask in freebsd-hackers@ as devs are likely to
read this there
--
--00000000000016d42605fa03bd94--