Date: Sun, 23 Apr 2023 18:53:57 +0200 From: Hubert Tournier <hubert.tournier@gmail.com> To: FreeBSD-security@freebsd.org Subject: Re: 45 vulnerable ports unreported in VuXML Message-ID: <CADr%2Bmw92ReA06UC5HRPaha415%2B6j=%2BxGsXiHwfGxGX6HpqFbBQ@mail.gmail.com> In-Reply-To: <CADr%2Bmw86a4XmRvmTPp%2B4GUN7c90C_suzK4bm2M7p6QUWY-M-Fw@mail.gmail.com> References: <CADr%2Bmw-oh0txuXXoMptYOXBj1uwWNdeAESX6aE_iZxheFgY8gw@mail.gmail.com> <CADr%2Bmw8KzSyoVFKkFG7REAA8c9yC27cmdTt7P%2BnEN5Gg7Yeo_A@mail.gmail.com> <ZCv00k-jL__tYYWG@int21h> <CADr%2Bmw86a4XmRvmTPp%2B4GUN7c90C_suzK4bm2M7p6QUWY-M-Fw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--00000000000016d42605fa03bd94 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello, Here's a little progress report on the osv2vuxml tool development. I'm now up to the point where I can identify vulnerable (current version) FreeBSD ports from all the OSV "ecosystems". But I still have to check which are not yet reported in VuXML and generate an entry skeleton for them, like I did with pysec2vuxml. I think I'll be able to publish something in a couple of weeks... Note that identifying a vulnerable port implies either finding a matching name (not always reliable with port prefixes / flavours / versions in port suffixes) or a matching source web site (better IMO, but there are 2576 ports out of 33565 that don't have that information). I may find more vulnerable ports in the future by delving deeper into the data, especially if I can find matches with software packaged for Linux, Debian, Alpine and Android ecosystems... Also naming of FreeBSD ports for Go gems, Rust crates and others seem to be less consistent than for Python, Ruby and PHP packages. So here's what's reported so far: Ecosystem / Language / vulnerabilities / affected ports / vulns for affected ports ---------------------------------------------------------------------------= ----------------------------- Go / Go / 1360 / 6 /24 Hex / Erlang / 21 / 0 / 0 Maven / Java / 3462 / 8 / 8 NuGet / .Net / 267 / 3 / 3 Packagist / PHP / 1484 / 0 / 0 Pub / Dart / 5 / 0 / 0 PyPI / Python / 3955 / 61 / 166 RubyGems / Ruby / 669 / 45 / 118 crates.io / Rust / 1133 / 14 / 33 npm / JavaScript / 2962 / 57 / 83 ---------------------------------------------------------------------------= ----------------------------- GSD / - / 7 / 0 / 0 GitHub Actions / - / 8 / 0 / 0 OSS-Fuzz / - / 2870 / 21 / 85 UVI / - / 1 / 0 / 0 ---------------------------------------------------------------------------= ----------------------------- 215 affected ports in their current version, counting for 520 vulnerabilities And here' a preliminary detailed list of vulnerable ports with associated vulnerabilities IDs (there might be a few false positive inside!). Hopefully, it includes many already reported vulnerabilities in VuXML (at least many of those listed for Python have already been reported with pysec2vuxml): 2bsd-diff-2.11.1_1: ['GHSA-h6ch-v84p-w6p9'] R-cran-ini-0.3.1: ['GHSA-qqgx-2p2h-9c37'] R-cran-mime-0.12: ['GHSA-wrvr-8mpx-r7pp'] R-cran-rio-0.5.29: ['GHSA-8rc5-mr4f-m243'] R-cran-xopen-1.0.0: ['GHSA-74wf-cwjg-9cf2'] b2-1.3.8_1: ['GHSA-8wr4-2wm6-w3pr', 'PYSEC-2022-32'] bcrypt-1.1: ['GHSA-5wg4-74h6-q47v'] blitz-1.0.2_4: ['GHSA-5888-ffcr-r425'] capstone4-4.0.2: ['OSV-2020-438'] comrak-0.15.0_3: ['GHSA-5r3x-p7xx-x6q5', 'GHSA-8hqf-xjwp-p67v', 'GHSA-xxmq-4vph-956w'] containers-0.9.0_2: ['GHSA-cv7x-6rc6-pq5v', 'RUSTSEC-2021-0010'] coreos-etcd-2.3.8_18: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-wffx', 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', 'GHSA-m332-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2'] coreos-etcd31-3.1.20_17: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-wffx', 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', 'GHSA-m332-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2'] coreos-etcd32-3.2.32_15: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-wffx', 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', 'GHSA-m332-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2'] date-3.0.1: ['GHSA-qg54-694p-wgpp'] deluge-2.0.3_3,2: ['GHSA-5c8p-qhch-qhx6', 'PYSEC-2022-256'] deluge-cli-2.0.3_4: ['GHSA-5c8p-qhch-qhx6', 'PYSEC-2022-256'] dojo-1.12.2: ['GHSA-536q-8gxx-m782', 'GHSA-jxfh-8wgv-vfr2', 'GHSA-m8gw-hjpr-rjv7'] draco-3d-compression-1.5.6: ['OSV-2020-778', 'OSV-2020-800', 'OSV-2020-824', 'OSV-2020-828', 'OSV-2021-1082'] espeak-ng-1.51.1_3: ['OSV-2021-1024', 'OSV-2021-1041', 'OSV-2021-1110', 'OSV-2021-1141', 'OSV-2021-1157', 'OSV-2021-765', 'OSV-2021-787', 'OSV-2021-802', 'OSV-2022-462', 'OSV-2022-519', 'OSV-2022-530'] flatbuffers205-2.0.5: ['GHSA-3jch-9qgp-4844', 'RUSTSEC-2021-0122'] go-protobuf-1.3.2_12,1: ['GHSA-77rm-9x9h-xj3g', 'GHSA-jwvw-v7c5-m82h', 'GHSA-mh6h-f25p-98f8'] got-0.87: ['GHSA-pfrx-2q88-qq97'] gstreamer1-1.22.0_1: ['OSV-2022-1168'] gtar-1.34: ['GHSA-3jfq-g458-7qm9', 'GHSA-5955-9wpr-37jh', 'GHSA-9r2w-394v-53qc', 'GHSA-gfjr-3jmm-4g9v', 'GHSA-j44m-qm6p-hp7m', 'GHSA-qq89-hq3f-393p', 'GHSA-r628-mhmh-qjhw'] guake-3.4.0_3: ['GHSA-7x48-7466-3g33', 'PYSEC-2022-165'] harfbuzz-7.1.0: ['OSV-2023-137', 'OSV-2023-170', 'OSV-2023-222', 'OSV-2023-323'] harp-0.6.0_3: ['GHSA-46hv-7769-j7rx', 'GHSA-6fmm-47qc-p4m4'] jbig2dec-0.19: ['OSV-2020-822'] leptonica-1.82.0: ['OSV-2022-69', 'OSV-2022-91'] libnotify-0.8.2: ['GHSA-6898-wx94-8jq8'] libraw-0.21.1: ['OSV-2022-819', 'OSV-2023-184', 'OSV-2023-90'] libredwg-0.12.4: ['OSV-2021-1086', 'OSV-2021-620', 'OSV-2021-771', 'OSV-2022-129', 'OSV-2022-363'] libsass-3.6.5: ['OSV-2020-1420', 'OSV-2020-862', 'OSV-2021-508', 'OSV-2022-896'] libucl-0.8.2: ['OSV-2021-1261', 'OSV-2022-494', 'OSV-2023-321', 'OSV-2023-78'] log4net-1.2.10_3: ['GHSA-2cwj-8chv-9pp9'] lua51-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v'] lua51-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2'] lua52-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v'] lua52-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2'] lua53-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v'] lua53-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2'] lua54-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v'] lua54-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2'] mingw32-libyaml-0.1.6_2: ['GHSA-m75h-cghq-c8h5'] mitmproxy-7.0.4_2: ['GHSA-gcx2-gvj7-pxv3', 'PYSEC-2022-170'] mongoose-5.6: ['GHSA-8687-vv9j-hgph', 'GHSA-f825-f98c-gj3g'] nlohmann-json-3.11.2: ['GHSA-3c6g-pvg8-gqw2'] ocaml-mysql-1.2.4: ['GHSA-fvq6-55gv-jx9f'] opa-0.41.0_11: ['GHSA-2m4x-4q9j-w97g', 'GHSA-f524-rf33-2jjr'] open-1.4: ['GHSA-28xh-wpgr-7fm8'] opencv-4.6.0_6: ['OSV-2022-394', 'GHSA-f698-m2v9-5fh3', 'GHSA-mc7w-4cjf-c973'] opensc-0.23.0: ['OSV-2022-1175', 'OSV-2022-1188', 'OSV-2022-1201', 'OSV-2022-1232'] p5-mem-0.4.7: ['GHSA-4xcv-9jjx-gfj3'] php80-opencc-0.0.0.20201211: ['GHSA-9qh2-6fxg-9m4g'] php80-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq', 'GHSA-mh5c-679w-hh4r'] php80-pecl-mustache-0.9.3: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58'] php80-pecl-ssh2-1.3.1: ['GHSA-652h-xwhf-q4h6'] php81-opencc-0.0.0.20201211: ['GHSA-9qh2-6fxg-9m4g'] php81-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq', 'GHSA-mh5c-679w-hh4r'] php81-pecl-mustache-0.9.3: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58'] php81-pecl-ssh2-1.3.1: ['GHSA-652h-xwhf-q4h6'] php82-opencc-0.0.0.20201211: ['GHSA-9qh2-6fxg-9m4g'] php82-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq', 'GHSA-mh5c-679w-hh4r'] php82-pecl-mustache-0.9.3: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58'] php82-pecl-ssh2-1.3.1: ['GHSA-652h-xwhf-q4h6'] pidgin-libnotify-0.14_15: ['GHSA-6898-wx94-8jq8'] postgresql13-semver-0.31.2: ['GHSA-x6fg-f45m-jf5q'] protobuf25-2.5.0_5: ['GHSA-77rm-9x9h-xj3g', 'GHSA-jwvw-v7c5-m82h', 'GHSA-8gq9-2x98-w8hf', 'PYSEC-2017-65', 'PYSEC-2022-48', 'GHSA-mh6h-f25p-98f8', 'RUSTSEC-2019-0003'] py27-setuptools44-44.1.1: ['GHSA-r9hx-vwmv-q579'] py310-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579'] py310-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579'] py311-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579'] py311-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579'] py37-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579'] py37-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579'] py38-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579'] py38-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579'] py39-Flask-Cors-3.0.8: ['GHSA-xc3p-ff3m-f46v'] py39-WsgiDAV-3.1.0: ['GHSA-xx6g-jj35-pxjv'] py39-ansible-7.1.0: ['PYSEC-2020-220', 'PYSEC-2020-221', 'PYSEC-2021-125'] py39-arrow-1.2.3: ['GHSA-h588-76vg-prgj', 'GHSA-qgrp-8f3v-q85p', 'GHSA-r7cj-wmwv-hfw5', 'RUSTSEC-2021-0116', 'RUSTSEC-2021-0117', 'RUSTSEC-2021-0118'] py39-bcrypt-3.2.2: ['GHSA-5wg4-74h6-q47v'] py39-beaker-1.12.1: ['PYSEC-2020-216'] py39-branca-0.6.0: ['GHSA-c9rv-3jmq-527w', 'RUSTSEC-2020-0075'] py39-capstone-4.0.2: ['OSV-2020-438'] py39-celery-4.4.7: ['GHSA-q4xr-rc97-m4xx', 'PYSEC-2021-858'] py39-cinder-12.0.10_22: ['GHSA-7h75-hwxx-qpgc', 'GHSA-qhch-g8qr-p497', 'PYSEC-2020-228'] py39-codecov-2.1.12: ['GHSA-5q88-cjfq-g2mh', 'GHSA-mh2h-6j8q-x246', 'GHSA-xp63-6vf5-xf3v'] py39-configobj-5.0.8: ['GHSA-c33w-24p9-8m24'] py39-cryptography-3.4.8_1,1: ['GHSA-w7pp-m8wf-vj6r', 'GHSA-x4qr-2fvf-3mr5'] py39-django-photologue-3.15_1: ['GHSA-287q-jfcp-9vhv'] py39-django-tinymce-3.6.1: ['GHSA-r8hm-w5f7-wj39'] py39-dparse-0.5.1: ['GHSA-8fg9-p83m-x5pq', 'PYSEC-2022-301'] py39-flask-caching-1.9.0: ['GHSA-656c-6cxf-hvcv', 'PYSEC-2021-13'] py39-flask-security-3.0.0_1: ['GHSA-cg8c-gc2j-2wf7'] py39-flatbuffers-2.0: ['GHSA-3jch-9qgp-4844', 'RUSTSEC-2021-0122'] py39-gstreamer1-1.20.5: ['OSV-2022-1089', 'OSV-2022-1168'] py39-httpie-3.0.2: ['GHSA-6pc9-xqrg-wfqw', 'GHSA-9w4w-cpc8-h2fq', 'PYSEC-2022-167', 'PYSEC-2022-34'] py39-httpx013-0.13.3_3: ['GHSA-h8pj-cxx2-jfg2', 'PYSEC-2022-183'] py39-impacket-0.9.17_1: ['GHSA-mj63-64x7-57xf', 'PYSEC-2021-17'] py39-jmespath-1.0.1: ['GHSA-5c5f-7vfq-3732'] py39-joblib-1.1.0: ['GHSA-6hrg-qmvc-2xh8', 'PYSEC-2022-288'] py39-json5-0.9.11: ['GHSA-9c47-m6qq-7p4h'] py39-jsonpointer-2.0: ['GHSA-282f-qqgm-c34q'] py39-kerberos-1.3.1: ['PYSEC-2017-49'] py39-lmdb-0.97: ['PYSEC-2019-236', 'PYSEC-2019-237', 'PYSEC-2019-238', 'PYSEC-2019-239', 'PYSEC-2019-240'] py39-markdown2-2.3.6: ['GHSA-fv3h-8x5j-pvgq', 'GHSA-jr9p-r423-9m2r', 'PYSEC-2020-65', 'PYSEC-2021-20'] py39-mime-0.1.0: ['GHSA-wrvr-8mpx-r7pp'] py39-nbdime-3.1.1_1: ['GHSA-p6rw-44q7-3fw4'] py39-nicotine-plus-3.2.0_1: ['GHSA-p4v2-r99v-wjc2'] py39-parse-1.19.0: ['GHSA-wvh7-5p38-2qfc'] py39-psutil121-1.2.1_2: ['GHSA-qfc5-mcwq-26q8', 'PYSEC-2019-41'] py39-py-1.11.0: ['GHSA-w596-4wvx-j9j6', 'PYSEC-2022-42969'] py39-pycares-4.1.2: ['GHSA-c58j-88f5-h53f'] py39-pygments-25-2.5.2: ['GHSA-9w8r-397f-prfh', 'GHSA-pq64-v7f5-gqh8', 'PYSEC-2021-140', 'PYSEC-2021-141'] py39-pyinstaller-3.5_1: ['GHSA-7fcj-pq9j-wh2r', 'PYSEC-2020-175', 'PYSEC-2020-194'] py39-pymatgen-2022.7.19: ['GHSA-5jqp-885w-xj32'] py39-pysaml24-4.9.0_1: ['GHSA-5p3x-r448-pc62', 'GHSA-f4g9-h89h-jgv9', 'GHSA-qf7v-8hj3-4xw7', 'PYSEC-2020-94', 'PYSEC-2021-48', 'PYSEC-2021-49'] py39-redis2-2.10.6_2: ['GHSA-24wv-mv5m-xv4h', 'GHSA-8fww-64cx-x8p5', 'GHSA-35q2-47q7-3pc3'] py39-redis3-3.5.3: ['GHSA-24wv-mv5m-xv4h', 'GHSA-8fww-64cx-x8p5'] py39-rencode-1.0.6_1: ['GHSA-gh8j-2pgf-x458', 'PYSEC-2021-345'] py39-semver-2.13.0: ['GHSA-x6fg-f45m-jf5q'] py39-sentry-sdk-1.5.12: ['GHSA-29pr-6jr8-q5jm'] py39-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579'] py39-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579'] py39-slixmpp-1.7.1: ['GHSA-q6cq-m9gm-6q2f'] py39-sqlalchemy10-1.0.14: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-vxgf', 'PYSEC-2019-123', 'PYSEC-2019-124', 'PYSEC-2019-53', 'PYSEC-2019-54'] py39-sqlalchemy11-1.1.18: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-vxgf', 'PYSEC-2019-123', 'PYSEC-2019-124', 'PYSEC-2019-53', 'PYSEC-2019-54'] py39-sqlalchemy12-1.2.19: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-vxgf'] py39-suds-1.1.2: ['PYSEC-2013-32'] py39-tensorflow-2.9.1_7: ['GHSA-27rc-728f-x5w2', 'GHSA-368v-7v32-52fx', 'GHSA-49rq-hwc3-x77w', 'GHSA-54pp-c6pp-7fpx', 'GHSA-558h-mq8x-7q9g', 'GHSA-5w96-866f-6rm8', 'GHSA-647v-r7qq-24fh', 'GHSA-64jg-wjww-7c5w', 'GHSA-66vq-54fq-6jvv', 'GHSA-67pf-62xr-q35m', 'GHSA-68v3-g9cm-rmm6', 'GHSA-6hg6-5c2q-7rcr', 'GHSA-6wfh-89q8-44jq', 'GHSA-6x99-gv2v-q76v', 'GHSA-7jvm-xxmr-v5cw', 'GHSA-7x4v-9gxg-9hwj', 'GHSA-8fvv-46hw-vpg3', 'GHSA-8w5g-3wcv-9g2j', 'GHSA-93vr-9q9m-pj8p', 'GHSA-94mm-g2mv-8p7r', 'GHSA-cg88-rpvp-cjv5', 'GHSA-cqvq-fvhr-v6hc', 'GHSA-f2w8-jw48-fr7j', 'GHSA-f49c-87jh-g47q', 'GHSA-f637-vh3r-vfh2', 'GHSA-fqm2-gh8w-gr68', 'GHSA-frqp-wp83-qggv', 'GHSA-fxgc-95xx-grvq', 'GHSA-g9fm-r5mm-rf9f', 'GHSA-gf97-q72m-7579', 'GHSA-gq2j-cr96-gvqx', 'GHSA-gw97-ff7c-9v96', 'GHSA-h246-cgh4-7475', 'GHSA-h6q3-vv32-2cq5', 'GHSA-hq7g-wwwp-q46h', 'GHSA-j5w9-hmfh-4cr6', 'GHSA-jq6x-99hj-q636', 'GHSA-mgmh-g2v6-mqw5', 'GHSA-mv77-9g28-cwg3', 'GHSA-pf36-r9c6-h97j', 'GHSA-qjqc-vqcf-5qvj', 'GHSA-rcf8-g8jv-vg6p', 'GHSA-rjx6-v474-2ch9', 'GHSA-rmg2-f698-wq35', 'GHSA-xf83-q765-xm6m', 'GHSA-xvwp-h6jv-7472', 'GHSA-xxcj-rhqg-m46g'] py39-treq-20.9.0: ['GHSA-fhpf-pp6p-55qc'] py39-unicorn-1.0.2: ['OSV-2020-1373', 'OSV-2020-1409', 'OSV-2020-1410', 'OSV-2020-2180', 'OSV-2020-2305', 'OSV-2020-802', 'OSV-2020-825', 'OSV-2020-837', 'OSV-2021-1046', 'OSV-2021-1230', 'OSV-2021-307', 'OSV-2021-345', 'PYSEC-2021-868'] py39-wagtail-4.2_2: ['GHSA-33pv-vcgh-jfg9', 'GHSA-5286-f2rf-35c2'] py39-whois-0.9.13: ['GHSA-97jv-c342-5xhc'] radare2-5.8.4: ['OSV-2022-1137', 'OSV-2022-993', 'OSV-2023-35', 'OSV-2023-96'] rubygem-actionpack4-4.2.11.3: ['GHSA-7wjx-3g7j-8584', 'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-hjg4-8q5f-x6fm', 'GHSA-p84v-45xj-wwqj'] rubygem-actionpack5-5.1.7_1: ['GHSA-7wjx-3g7j-8584', 'GHSA-8727-m6gj-mc37', 'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-hjg4-8q5f-x6fm', 'GHSA-jp5v-5gx4-jmj9', 'GHSA-p84v-45xj-wwqj', 'GHSA-wh98-p28r-vrc9'] rubygem-actionpack50-5.0.7.2_2: ['GHSA-7wjx-3g7j-8584', 'GHSA-8727-m6gj-mc37', 'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-hjg4-8q5f-x6fm', 'GHSA-jp5v-5gx4-jmj9', 'GHSA-p84v-45xj-wwqj', 'GHSA-wh98-p28r-vrc9'] rubygem-actionpack52-5.2.8.1_1: ['GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-p84v-45xj-wwqj'] rubygem-actionpack60-6.0.6.1: ['GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-p84v-45xj-wwqj'] rubygem-actionpack61-6.1.7.3: ['GHSA-9chr-4fjh-5rgw'] rubygem-actionview4-4.2.11.3: ['GHSA-65cv-r6x7-79hv', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv'] rubygem-actionview5-5.1.7: ['GHSA-65cv-r6x7-79hv', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GHSA-xq5j-gw7f-jgj8'] rubygem-actionview50-5.0.7.2: ['GHSA-65cv-r6x7-79hv', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GHSA-xq5j-gw7f-jgj8'] rubygem-activerecord4-4.2.11.3: ['GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749'] rubygem-activerecord5-5.1.7: ['GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749', 'GHSA-8hc4-xxm3-5ppp'] rubygem-activerecord50-5.0.7.2: ['GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749', 'GHSA-8hc4-xxm3-5ppp'] rubygem-activerecord52-5.2.8.1: ['GHSA-579w-22j4-4749'] rubygem-activerecord60-6.0.6.1: ['GHSA-579w-22j4-4749'] rubygem-activeresource4-4.1.0: ['GHSA-46j2-xjgp-jrfm'] rubygem-activesupport4-4.2.11.3: ['GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j'] rubygem-activesupport5-5.1.7_1: ['GHSA-2p68-f74v-9wc6', 'GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j'] rubygem-activesupport50-5.0.7.2_1: ['GHSA-2p68-f74v-9wc6', 'GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j'] rubygem-activesupport52-5.2.8.1: ['GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j'] rubygem-activesupport60-6.0.6.1: ['GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j'] rubygem-async-2.5.0: ['GHSA-fwr7-v2mv-hh25'] rubygem-aws-sdk2-2.11.632: ['GHSA-rrc9-gqf8-8rwg'] rubygem-base64-0.1.1: ['GHSA-x67x-vg9m-65c3', 'RUSTSEC-2017-0004'] rubygem-bcrypt-3.1.18: ['GHSA-5wg4-74h6-q47v'] rubygem-bootstrap-sass-3.4.1: ['GHSA-9v3m-8fp8-mj99'] rubygem-cairo-1.17.8: ['OSV-2023-298'] rubygem-cookiejar-0.3.3: ['GHSA-h452-7996-h45h'] rubygem-cose-1.2.0: ['GHSA-746g-3gfp-hfhw'] rubygem-debug-1.7.2: ['GHSA-9vvw-cc9w-f27h', 'GHSA-gxpj-cx7g-858c'] rubygem-foreman-0.87.2: ['GHSA-xm28-fw2x-fqv2'] rubygem-generator-0.0.1: ['GHSA-6c65-xcf5-299x', 'GHSA-h6gg-fvf5-qgwf', 'GHSA-w3g5-2848-2v8r', 'RUSTSEC-2019-0020', 'RUSTSEC-2020-0151'] rubygem-globalid-0.4.2: ['GHSA-23c2-gwp5-pxw9'] rubygem-gon-rails5-6.2.1: ['GHSA-78vq-9j56-wrfr'] rubygem-gon-rails50-6.2.1: ['GHSA-78vq-9j56-wrfr'] rubygem-httparty-0.20.0: ['GHSA-5pq7-52mg-hr42'] rubygem-ini-0.1.1: ['GHSA-qqgx-2p2h-9c37'] rubygem-json-2.6.3: ['GHSA-3c6g-pvg8-gqw2'] rubygem-json1-1.8.6: ['GHSA-3c6g-pvg8-gqw2', 'GHSA-jphg-qwrw-7w9g'] rubygem-kramdown1-1.17.0: ['GHSA-52p9-v744-mwjj', 'GHSA-mqm2-cgpr-p4m6'] rubygem-mqtt-0.6.0: ['GHSA-hg78-c92r-hvwr'] rubygem-mustache-1.1.1: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58'] rubygem-mustache0-0.99.8: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58'] rubygem-mysql-2.9.1_1: ['GHSA-5f7m-mmpc-qhh4'] rubygem-netaddr-2.0.1: ['GHSA-49pj-69vf-c689'] rubygem-nokogiri111-1.11.7_2: ['GHSA-2qc6-mcvw-92cw', 'GHSA-2rr5-8q37-2w7h', 'GHSA-cgx6-hpwq-fhv5', 'GHSA-crjr-9rc5-ghw8', 'GHSA-fq42-c5rg-92c2', 'GHSA-gx8x-g87m-h5q6', 'GHSA-pxvg-2qj5-37jq', 'GHSA-v6gp-9mmm-c6p5', 'GHSA-xh29-r2w5-wx8m', 'GHSA-xxx9-3xcr-gjj3'] rubygem-omniauth1-1.9.2_1: ['GHSA-ww4x-rwq6-qpgf'] rubygem-oxidized-web-0.13.1_4: ['GHSA-8qwh-rm6c-jv96'] rubygem-pdfkit-0.8.7: ['GHSA-rhwx-hjx2-x4qr'] rubygem-pg-1.4.6: ['GHSA-wc9v-mj63-m9g5'] rubygem-pg13-1.3.5: ['GHSA-wc9v-mj63-m9g5'] rubygem-pghero-rails5-2.8.3: ['GHSA-vf99-xw26-86g5'] rubygem-pghero-rails50-2.8.3: ['GHSA-vf99-xw26-86g5'] rubygem-rack16-1.6.13: ['GHSA-3h57-hmj3-gj3p', 'GHSA-5f9h-9pjv-v6j7', 'GHSA-65f5-mfpf-vfhj', 'GHSA-hxqx-xwvh-44m2', 'GHSA-j6w9-fv6q-3q52', 'GHSA-wq4h-7r42-5hrr'] rubygem-rails4-4.2.11.3: ['GHSA-579w-22j4-4749', 'GHSA-7wjx-3g7j-8584', 'GHSA-9chr-4fjh-5rgw', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv'] rubygem-rails5-5.1.7_2: ['GHSA-579w-22j4-4749', 'GHSA-7wjx-3g7j-8584', 'GHSA-9chr-4fjh-5rgw', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GHSA-wh98-p28r-vrc9'] rubygem-rails50-5.0.7.2_2: ['GHSA-579w-22j4-4749', 'GHSA-7wjx-3g7j-8584', 'GHSA-9chr-4fjh-5rgw', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GHSA-wh98-p28r-vrc9'] rubygem-rails52-5.2.8.1: ['GHSA-579w-22j4-4749', 'GHSA-9chr-4fjh-5rgw'] rubygem-sanitize-6.0.0: ['GHSA-fw3g-2h3j-qmm7'] rubygem-simple_form-4.0.0: ['GHSA-r74q-gxcg-73hx'] rubygem-sinatra1-1.4.8: ['GHSA-qp49-3pvw-x4m5'] rubygem-terser-1.0.2: ['GHSA-4wf5-vphf-c2xc'] rubygem-terser11-1.1.14: ['GHSA-4wf5-vphf-c2xc'] rubygem-time-0.2.2: ['GHSA-wcg3-cvx6-7396'] rubygem-tweetstream-2.6.1_1: ['GHSA-6hrm-jqp3-64cv'] rubygem-twitter-stream-0.1.16_2: ['GHSA-p6p8-q4pj-f74m'] rubygem-unicode-0.4.4.4: ['GHSA-qjf4-7642-c57p'] rubygem-useragent-0.16.10: ['GHSA-pjmx-9xr3-82qr'] send-0.3_4: ['GHSA-jgqf-hwc5-hh37', 'GHSA-pgv6-jrvv-75jp', 'GHSA-xwg4-93c6-3h42'] showdown-0.6_3: ['GHSA-h6mq-3cj6-h738'] svg2png-0.1.3_6: ['GHSA-mpp5-2x55-49xw'] tidy-html5-5.8.0_2: ['OSV-2020-1427', 'OSV-2020-1440'] ua_parser-core-0.5.0_1: ['GHSA-fx7m-j728-mjw3'] unicorn-1.0.2: ['OSV-2020-1373', 'OSV-2020-1409', 'OSV-2020-1410', 'OSV-2020-2180', 'OSV-2020-2305', 'OSV-2020-802', 'OSV-2020-825', 'OSV-2020-837', 'OSV-2021-1046', 'OSV-2021-1230', 'OSV-2021-307', 'OSV-2021-345', 'PYSEC-2021-868'] vmd-1.9.4: ['GHSA-pfr3-87q3-65rc'] wabt-1.0.32: ['OSV-2021-1241', 'OSV-2022-1248', 'OSV-2022-1261', 'OSV-2022-1263', 'OSV-2022-916'] wasm3-0.5.0_2: ['GHSA-77fq-4xf5-hph4', 'GHSA-crf8-h2wq-2h9x'] webbrowser-0.3: ['GHSA-m589-mv4q-p7rj'] zh-opencc-1.0.5_3: ['GHSA-9qh2-6fxg-9m4g'] Best regards, Le mar. 4 avr. 2023 =C3=A0 12:31, Hubert Tournier <hubert.tournier@gmail.co= m> a =C3=A9crit : > I=E2=80=99m OK to do the OSV tool. > > Best regards, > > Le mar. 4 avr. 2023 =C3=A0 11:58, void <void@f-m.fm> a =C3=A9crit : > >> On Sun, Mar 26, 2023 at 12:16:53PM +0200, Hubert Tournier wrote: >> >Hello, >> > >> >While working on pipinfo <https://github.com/HubTou/pipinfo>, an >> >alternative Python packages management tool, I noticed that some Python >> >packages installed as FreeBSD ports where marked as vulnerable by the >> Python >> >Packaging Authority >> ><https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilitie= s >> > >> >but not in FreeBSD VuXML <https://www.vuxml.org/freebsd/index.html>; >> ports >> >security database. >> > >> >So I made a pysec2vuxml <https://github.com/HubTou/pysec2vuxml>; tool to >> >check the 4.000+ FreeBSD ports for Python packages and found 45 of them >> >vulnerable and unreported >> ><https://github.com/HubTou/pysec2vuxml/blob/main/results.txt>. >> > >> >I started producing new VuXML entries >> ><https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_newentries.txt>; >> for >> >these vulnerable ports. *Please tell me if it's worth pursuing this >> effort?* >> > >> >In order to verify if these vulnerable ports where also marked as >> >vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and >> got >> >carried away writing a whole utility, vuxml >> ><https://github.com/HubTou/vuxml>, to demonstrate its use. This could >> be of >> >general interest to some of you? >> > >> >Best regards, >> > >> >PS: this approach could be extended to Rust crates, Ruby gems and so on >> >with the vulnerabilities described in the OSV <https://osv.dev/>... >> >> +1 ^^^ really good idea >> >> Probably best to ask in freebsd-hackers@ as devs are likely to >> read this there >> -- >> > --00000000000016d42605fa03bd94 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div><div><div><div>Hello,<br><br></div>Here's a littl= e progress report on the osv2vuxml tool development.<br></div>I'm now u= p to the point where I can identify vulnerable (current version) FreeBSD po= rts from all the OSV "ecosystems".<br></div>But I still have to c= heck which are not yet reported in VuXML and generate an entry skeleton for= them, like I did with pysec2vuxml.<br></div><div> <div>I think I'll be able to publish something in a couple of weeks...<= br><br></div><div>Note that identifying a vulnerable port implies either fi= nding a matching name (not always reliable with port prefixes / flavours / = versions in port suffixes) or a matching source web site (better IMO, but t= here are 2576 ports out of 33565 that don't have that information).<br>= </div><div>I may find more vulnerable ports in the future by delving deeper= into the data, especially if I can find matches with software packaged for= Linux, Debian, Alpine and Android ecosystems...<br></div><div>Also naming = of FreeBSD ports for Go gems, Rust crates and others seem to be less consis= tent than for Python, Ruby and PHP packages.<br></div><div><br></div><div><= /div> </div><div>So here's what's reported so far:</div><div><br>Ecosyste= m / Language / vulnerabilities / affected ports / vulns for affected ports= =C2=A0 <br>----------------------------------------------------------------= ----------------------------------------<br>Go / Go / 1360 / 6 /24<br>He= x / Erlang / 21 / 0 / 0<br>Maven / Java / 3462 / 8 / 8<br>NuGet / .N= et / 267 / 3 / 3<br>Packagist / PHP / 1484 / 0 / 0 <br>Pub / Dart / 5 /= 0 / 0<br>PyPI / Python / 3955 / 61 / 166<br>RubyGems / Ruby / 669 / 45 = / 118<br><a href=3D"http://crates.io">crates.io</a>; / Rust / 1133 / 14 / 3= 3<br>npm / JavaScript / 2962 / 57 / 83</div><div></div><div> <div>----------------------------------------------------------------------= ----------------------------------</div><div></div> GSD / - / 7 / 0 / 0<br> GitHub Actions / - / 8 / 0 / 0<br> OSS-Fuzz / - / 2870 / 21 / 85<br></div><div> UVI / - / 1 / 0 / 0<br></div><div>-----------------------------------------= ---------------------------------------------------------------</div><div>2= 15 affected ports in their current version, counting for 520 vulnerabilitie= s<br><br></div><div>And here' a preliminary detailed list of vulnerable= ports with associated vulnerabilities IDs (there might be a few false posi= tive inside!).<br>Hopefully, it includes many already reported vulnerabilit= ies in VuXML (at least many of those listed for Python have already been re= ported with pysec2vuxml):<br> <br>2bsd-diff-2.11.1_1: ['GHSA-h6ch-v84p-w6p9']<br>R-cran-ini-0.3.1= : ['GHSA-qqgx-2p2h-9c37']<br>R-cran-mime-0.12: ['GHSA-wrvr-8mpx= -r7pp']<br>R-cran-rio-0.5.29: ['GHSA-8rc5-mr4f-m243']<br>R-cran= -xopen-1.0.0: ['GHSA-74wf-cwjg-9cf2']<br>b2-1.3.8_1: ['GHSA-8wr= 4-2wm6-w3pr', 'PYSEC-2022-32']<br>bcrypt-1.1: ['GHSA-5wg4-7= 4h6-q47v']<br>blitz-1.0.2_4: ['GHSA-5888-ffcr-r425']<br>capston= e4-4.0.2: ['OSV-2020-438']<br>comrak-0.15.0_3: ['GHSA-5r3x-p7xx= -x6q5', 'GHSA-8hqf-xjwp-p67v', 'GHSA-xxmq-4vph-956w']<b= r>containers-0.9.0_2: ['GHSA-cv7x-6rc6-pq5v', 'RUSTSEC-2021-001= 0']<br>coreos-etcd-2.3.8_18: ['GHSA-4993-m7g5-r9hh', 'GHSA-= 528j-9r78-wffx', 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mr= c', 'GHSA-m332-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2']<br>co= reos-etcd31-3.1.20_17: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-= wffx', 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', &#= 39;GHSA-m332-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2']<br>coreos-etcd3= 2-3.2.32_15: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-wffx',= 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', 'GHSA-m3= 32-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2']<br>date-3.0.1: ['GHSA= -qg54-694p-wgpp']<br>deluge-2.0.3_3,2: ['GHSA-5c8p-qhch-qhx6', = 'PYSEC-2022-256']<br>deluge-cli-2.0.3_4: ['GHSA-5c8p-qhch-qhx6&= #39;, 'PYSEC-2022-256']<br>dojo-1.12.2: ['GHSA-536q-8gxx-m782&#= 39;, 'GHSA-jxfh-8wgv-vfr2', 'GHSA-m8gw-hjpr-rjv7']<br>draco= -3d-compression-1.5.6: ['OSV-2020-778', 'OSV-2020-800', = 9;OSV-2020-824', 'OSV-2020-828', 'OSV-2021-1082']<br>es= peak-ng-1.51.1_3: ['OSV-2021-1024', 'OSV-2021-1041', 'O= SV-2021-1110', 'OSV-2021-1141', 'OSV-2021-1157', 'O= SV-2021-765', 'OSV-2021-787', 'OSV-2021-802', 'OSV-= 2022-462', 'OSV-2022-519', 'OSV-2022-530']<br>flatbuffe= rs205-2.0.5: ['GHSA-3jch-9qgp-4844', 'RUSTSEC-2021-0122']<b= r>go-protobuf-1.3.2_12,1: ['GHSA-77rm-9x9h-xj3g', 'GHSA-jwvw-v7= c5-m82h', 'GHSA-mh6h-f25p-98f8']<br>got-0.87: ['GHSA-pfrx-2= q88-qq97']<br>gstreamer1-1.22.0_1: ['OSV-2022-1168']<br>gtar-1.= 34: ['GHSA-3jfq-g458-7qm9', 'GHSA-5955-9wpr-37jh', 'GHS= A-9r2w-394v-53qc', 'GHSA-gfjr-3jmm-4g9v', 'GHSA-j44m-qm6p-h= p7m', 'GHSA-qq89-hq3f-393p', 'GHSA-r628-mhmh-qjhw']<br>= guake-3.4.0_3: ['GHSA-7x48-7466-3g33', 'PYSEC-2022-165']<br= >harfbuzz-7.1.0: ['OSV-2023-137', 'OSV-2023-170', 'OSV-= 2023-222', 'OSV-2023-323']<br>harp-0.6.0_3: ['GHSA-46hv-776= 9-j7rx', 'GHSA-6fmm-47qc-p4m4']<br>jbig2dec-0.19: ['OSV-202= 0-822']<br>leptonica-1.82.0: ['OSV-2022-69', 'OSV-2022-91&#= 39;]<br>libnotify-0.8.2: ['GHSA-6898-wx94-8jq8']<br>libraw-0.21.1: = ['OSV-2022-819', 'OSV-2023-184', 'OSV-2023-90']<br>= libredwg-0.12.4: ['OSV-2021-1086', 'OSV-2021-620', 'OSV= -2021-771', 'OSV-2022-129', 'OSV-2022-363']<br>libsass-= 3.6.5: ['OSV-2020-1420', 'OSV-2020-862', 'OSV-2021-508&= #39;, 'OSV-2022-896']<br>libucl-0.8.2: ['OSV-2021-1261', &#= 39;OSV-2022-494', 'OSV-2023-321', 'OSV-2023-78']<br>log= 4net-1.2.10_3: ['GHSA-2cwj-8chv-9pp9']<br>lua51-bcrypt-2.3.1: ['= ;GHSA-5wg4-74h6-q47v']<br>lua51-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2= ']<br>lua52-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v']<br>lua52-json= -1.3.4_1: ['GHSA-3c6g-pvg8-gqw2']<br>lua53-bcrypt-2.3.1: ['GHSA= -5wg4-74h6-q47v']<br>lua53-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2'= ]<br>lua54-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v']<br>lua54-json-1.3.= 4_1: ['GHSA-3c6g-pvg8-gqw2']<br>mingw32-libyaml-0.1.6_2: ['GHSA= -m75h-cghq-c8h5']<br>mitmproxy-7.0.4_2: ['GHSA-gcx2-gvj7-pxv3',= 'PYSEC-2022-170']<br>mongoose-5.6: ['GHSA-8687-vv9j-hgph',= 'GHSA-f825-f98c-gj3g']<br>nlohmann-json-3.11.2: ['GHSA-3c6g-pv= g8-gqw2']<br>ocaml-mysql-1.2.4: ['GHSA-fvq6-55gv-jx9f']<br>opa-= 0.41.0_11: ['GHSA-2m4x-4q9j-w97g', 'GHSA-f524-rf33-2jjr']<b= r>open-1.4: ['GHSA-28xh-wpgr-7fm8']<br>opencv-4.6.0_6: ['OSV-20= 22-394', 'GHSA-f698-m2v9-5fh3', 'GHSA-mc7w-4cjf-c973']<= br>opensc-0.23.0: ['OSV-2022-1175', 'OSV-2022-1188', 'O= SV-2022-1201', 'OSV-2022-1232']<br>p5-mem-0.4.7: ['GHSA-4xc= v-9jjx-gfj3']<br>php80-opencc-0.0.0.20201211: ['GHSA-9qh2-6fxg-9m4g= ']<br>php80-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq', 'G= HSA-mh5c-679w-hh4r']<br>php80-pecl-mustache-0.9.3: ['GHSA-3233-rgx3= -c2wh', 'GHSA-w3w8-37jv-2c58']<br>php80-pecl-ssh2-1.3.1: ['= GHSA-652h-xwhf-q4h6']<br>php81-opencc-0.0.0.20201211: ['GHSA-9qh2-6= fxg-9m4g']<br>php81-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq'= , 'GHSA-mh5c-679w-hh4r']<br>php81-pecl-mustache-0.9.3: ['GHSA-3= 233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58']<br>php81-pecl-ssh2-1.3.1= : ['GHSA-652h-xwhf-q4h6']<br>php82-opencc-0.0.0.20201211: ['GHS= A-9qh2-6fxg-9m4g']<br>php82-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5= crq', 'GHSA-mh5c-679w-hh4r']<br>php82-pecl-mustache-0.9.3: [= 9;GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58']<br>php82-pecl-ss= h2-1.3.1: ['GHSA-652h-xwhf-q4h6']<br>pidgin-libnotify-0.14_15: [= 9;GHSA-6898-wx94-8jq8']<br>postgresql13-semver-0.31.2: ['GHSA-x6fg-= f45m-jf5q']<br>protobuf25-2.5.0_5: ['GHSA-77rm-9x9h-xj3g', '= ;GHSA-jwvw-v7c5-m82h', 'GHSA-8gq9-2x98-w8hf', 'PYSEC-2017-6= 5', 'PYSEC-2022-48', 'GHSA-mh6h-f25p-98f8', 'RUSTSE= C-2019-0003']<br>py27-setuptools44-44.1.1: ['GHSA-r9hx-vwmv-q579= 9;]<br>py310-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579']<br>py310-se= tuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579']<br>py311-setuptools-63= .1.0: ['GHSA-r9hx-vwmv-q579']<br>py311-setuptools58-58.5.3_2: ['= ;GHSA-r9hx-vwmv-q579']<br>py37-setuptools-63.1.0: ['GHSA-r9hx-vwmv-= q579']<br>py37-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579']<b= r>py38-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579']<br>py38-setuptool= s58-58.5.3_2: ['GHSA-r9hx-vwmv-q579']<br>py39-Flask-Cors-3.0.8: [&#= 39;GHSA-xc3p-ff3m-f46v']<br>py39-WsgiDAV-3.1.0: ['GHSA-xx6g-jj35-px= jv']<br>py39-ansible-7.1.0: ['PYSEC-2020-220', 'PYSEC-2020-= 221', 'PYSEC-2021-125']<br>py39-arrow-1.2.3: ['GHSA-h588-76= vg-prgj', 'GHSA-qgrp-8f3v-q85p', 'GHSA-r7cj-wmwv-hfw5',= 'RUSTSEC-2021-0116', 'RUSTSEC-2021-0117', 'RUSTSEC-202= 1-0118']<br>py39-bcrypt-3.2.2: ['GHSA-5wg4-74h6-q47v']<br>py39-= beaker-1.12.1: ['PYSEC-2020-216']<br>py39-branca-0.6.0: ['GHSA-= c9rv-3jmq-527w', 'RUSTSEC-2020-0075']<br>py39-capstone-4.0.2: [= 'OSV-2020-438']<br>py39-celery-4.4.7: ['GHSA-q4xr-rc97-m4xx'= ;, 'PYSEC-2021-858']<br>py39-cinder-12.0.10_22: ['GHSA-7h75-hwx= x-qpgc', 'GHSA-qhch-g8qr-p497', 'PYSEC-2020-228']<br>py= 39-codecov-2.1.12: ['GHSA-5q88-cjfq-g2mh', 'GHSA-mh2h-6j8q-x246= ', 'GHSA-xp63-6vf5-xf3v']<br>py39-configobj-5.0.8: ['GHSA-c= 33w-24p9-8m24']<br>py39-cryptography-3.4.8_1,1: ['GHSA-w7pp-m8wf-vj= 6r', 'GHSA-x4qr-2fvf-3mr5']<br>py39-django-photologue-3.15_1: [= 'GHSA-287q-jfcp-9vhv']<br>py39-django-tinymce-3.6.1: ['GHSA-r8h= m-w5f7-wj39']<br>py39-dparse-0.5.1: ['GHSA-8fg9-p83m-x5pq', = 9;PYSEC-2022-301']<br>py39-flask-caching-1.9.0: ['GHSA-656c-6cxf-hv= cv', 'PYSEC-2021-13']<br>py39-flask-security-3.0.0_1: ['GHS= A-cg8c-gc2j-2wf7']<br>py39-flatbuffers-2.0: ['GHSA-3jch-9qgp-4844&#= 39;, 'RUSTSEC-2021-0122']<br>py39-gstreamer1-1.20.5: ['OSV-2022= -1089', 'OSV-2022-1168']<br>py39-httpie-3.0.2: ['GHSA-6pc9-= xqrg-wfqw', 'GHSA-9w4w-cpc8-h2fq', 'PYSEC-2022-167', &#= 39;PYSEC-2022-34']<br>py39-httpx013-0.13.3_3: ['GHSA-h8pj-cxx2-jfg2= ', 'PYSEC-2022-183']<br>py39-impacket-0.9.17_1: ['GHSA-mj63= -64x7-57xf', 'PYSEC-2021-17']<br>py39-jmespath-1.0.1: ['GHS= A-5c5f-7vfq-3732']<br>py39-joblib-1.1.0: ['GHSA-6hrg-qmvc-2xh8'= , 'PYSEC-2022-288']<br>py39-json5-0.9.11: ['GHSA-9c47-m6qq-7p4h= ']<br>py39-jsonpointer-2.0: ['GHSA-282f-qqgm-c34q']<br>py39-ker= beros-1.3.1: ['PYSEC-2017-49']<br>py39-lmdb-0.97: ['PYSEC-2019-= 236', 'PYSEC-2019-237', 'PYSEC-2019-238', 'PYSEC-20= 19-239', 'PYSEC-2019-240']<br>py39-markdown2-2.3.6: ['GHSA-= fv3h-8x5j-pvgq', 'GHSA-jr9p-r423-9m2r', 'PYSEC-2020-65'= , 'PYSEC-2021-20']<br>py39-mime-0.1.0: ['GHSA-wrvr-8mpx-r7pp= 9;]<br>py39-nbdime-3.1.1_1: ['GHSA-p6rw-44q7-3fw4']<br>py39-nicotin= e-plus-3.2.0_1: ['GHSA-p4v2-r99v-wjc2']<br>py39-parse-1.19.0: ['= ;GHSA-wvh7-5p38-2qfc']<br>py39-psutil121-1.2.1_2: ['GHSA-qfc5-mcwq-= 26q8', 'PYSEC-2019-41']<br>py39-py-1.11.0: ['GHSA-w596-4wvx= -j9j6', 'PYSEC-2022-42969']<br>py39-pycares-4.1.2: ['GHSA-c= 58j-88f5-h53f']<br>py39-pygments-25-2.5.2: ['GHSA-9w8r-397f-prfh= 9;, 'GHSA-pq64-v7f5-gqh8', 'PYSEC-2021-140', 'PYSEC-202= 1-141']<br>py39-pyinstaller-3.5_1: ['GHSA-7fcj-pq9j-wh2r', '= ;PYSEC-2020-175', 'PYSEC-2020-194']<br>py39-pymatgen-2022.7.19:= ['GHSA-5jqp-885w-xj32']<br>py39-pysaml24-4.9.0_1: ['GHSA-5p3x-= r448-pc62', 'GHSA-f4g9-h89h-jgv9', 'GHSA-qf7v-8hj3-4xw7'= ;, 'PYSEC-2020-94', 'PYSEC-2021-48', 'PYSEC-2021-49'= ;]<br>py39-redis2-2.10.6_2: ['GHSA-24wv-mv5m-xv4h', 'GHSA-8fww-= 64cx-x8p5', 'GHSA-35q2-47q7-3pc3']<br>py39-redis3-3.5.3: ['= GHSA-24wv-mv5m-xv4h', 'GHSA-8fww-64cx-x8p5']<br>py39-rencode-1.= 0.6_1: ['GHSA-gh8j-2pgf-x458', 'PYSEC-2021-345']<br>py39-se= mver-2.13.0: ['GHSA-x6fg-f45m-jf5q']<br>py39-sentry-sdk-1.5.12: [&#= 39;GHSA-29pr-6jr8-q5jm']<br>py39-setuptools-63.1.0: ['GHSA-r9hx-vwm= v-q579']<br>py39-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579']= <br>py39-slixmpp-1.7.1: ['GHSA-q6cq-m9gm-6q2f']<br>py39-sqlalchemy1= 0-1.0.14: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-vxgf', &#= 39;PYSEC-2019-123', 'PYSEC-2019-124', 'PYSEC-2019-53', = 'PYSEC-2019-54']<br>py39-sqlalchemy11-1.1.18: ['GHSA-38fc-9xqv-= 7f7q', 'GHSA-887w-45rq-vxgf', 'PYSEC-2019-123', 'PY= SEC-2019-124', 'PYSEC-2019-53', 'PYSEC-2019-54']<br>py3= 9-sqlalchemy12-1.2.19: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-= vxgf']<br>py39-suds-1.1.2: ['PYSEC-2013-32']<br>py39-tensorflow= -2.9.1_7: ['GHSA-27rc-728f-x5w2', 'GHSA-368v-7v32-52fx', &#= 39;GHSA-49rq-hwc3-x77w', 'GHSA-54pp-c6pp-7fpx', 'GHSA-558h-= mq8x-7q9g', 'GHSA-5w96-866f-6rm8', 'GHSA-647v-r7qq-24fh'= ;, 'GHSA-64jg-wjww-7c5w', 'GHSA-66vq-54fq-6jvv', 'GHSA-= 67pf-62xr-q35m', 'GHSA-68v3-g9cm-rmm6', 'GHSA-6hg6-5c2q-7rc= r', 'GHSA-6wfh-89q8-44jq', 'GHSA-6x99-gv2v-q76v', '= GHSA-7jvm-xxmr-v5cw', 'GHSA-7x4v-9gxg-9hwj', 'GHSA-8fvv-46h= w-vpg3', 'GHSA-8w5g-3wcv-9g2j', 'GHSA-93vr-9q9m-pj8p', = 'GHSA-94mm-g2mv-8p7r', 'GHSA-cg88-rpvp-cjv5', 'GHSA-cqv= q-fvhr-v6hc', 'GHSA-f2w8-jw48-fr7j', 'GHSA-f49c-87jh-g47q&#= 39;, 'GHSA-f637-vh3r-vfh2', 'GHSA-fqm2-gh8w-gr68', 'GHS= A-frqp-wp83-qggv', 'GHSA-fxgc-95xx-grvq', 'GHSA-g9fm-r5mm-r= f9f', 'GHSA-gf97-q72m-7579', 'GHSA-gq2j-cr96-gvqx', = 9;GHSA-gw97-ff7c-9v96', 'GHSA-h246-cgh4-7475', 'GHSA-h6q3-v= v32-2cq5', 'GHSA-hq7g-wwwp-q46h', 'GHSA-j5w9-hmfh-4cr6'= , 'GHSA-jq6x-99hj-q636', 'GHSA-mgmh-g2v6-mqw5', 'GHSA-m= v77-9g28-cwg3', 'GHSA-pf36-r9c6-h97j', 'GHSA-qjqc-vqcf-5qvj= ', 'GHSA-rcf8-g8jv-vg6p', 'GHSA-rjx6-v474-2ch9', 'G= HSA-rmg2-f698-wq35', 'GHSA-xf83-q765-xm6m', 'GHSA-xvwp-h6jv= -7472', 'GHSA-xxcj-rhqg-m46g']<br>py39-treq-20.9.0: ['GHSA-= fhpf-pp6p-55qc']<br>py39-unicorn-1.0.2: ['OSV-2020-1373', '= OSV-2020-1409', 'OSV-2020-1410', 'OSV-2020-2180', '= OSV-2020-2305', 'OSV-2020-802', 'OSV-2020-825', 'OS= V-2020-837', 'OSV-2021-1046', 'OSV-2021-1230', 'OSV= -2021-307', 'OSV-2021-345', 'PYSEC-2021-868']<br>py39-w= agtail-4.2_2: ['GHSA-33pv-vcgh-jfg9', 'GHSA-5286-f2rf-35c2'= ]<br>py39-whois-0.9.13: ['GHSA-97jv-c342-5xhc']<br>radare2-5.8.4: [= 'OSV-2022-1137', 'OSV-2022-993', 'OSV-2023-35', = 9;OSV-2023-96']<br>rubygem-actionpack4-4.2.11.3: ['GHSA-7wjx-3g7j-8= 584', 'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', = 9;GHSA-hjg4-8q5f-x6fm', 'GHSA-p84v-45xj-wwqj']<br>rubygem-actio= npack5-5.1.7_1: ['GHSA-7wjx-3g7j-8584', 'GHSA-8727-m6gj-mc37= 9;, 'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA= -hjg4-8q5f-x6fm', 'GHSA-jp5v-5gx4-jmj9', 'GHSA-p84v-45xj-ww= qj', 'GHSA-wh98-p28r-vrc9']<br>rubygem-actionpack50-5.0.7.2_2: = ['GHSA-7wjx-3g7j-8584', 'GHSA-8727-m6gj-mc37', 'GHSA-8x= ww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-hjg4-8q5f-x6fm&= #39;, 'GHSA-jp5v-5gx4-jmj9', 'GHSA-p84v-45xj-wwqj', 'GH= SA-wh98-p28r-vrc9']<br>rubygem-actionpack52-5.2.8.1_1: ['GHSA-8xww-= x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-p84v-45xj-wwqj'= ;]<br>rubygem-actionpack60-6.0.6.1: ['GHSA-8xww-x3g3-6jcv', 'GH= SA-9chr-4fjh-5rgw', 'GHSA-p84v-45xj-wwqj']<br>rubygem-actionpac= k61-6.1.7.3: ['GHSA-9chr-4fjh-5rgw']<br>rubygem-actionview4-4.2.11.= 3: ['GHSA-65cv-r6x7-79hv', 'GHSA-cfjv-5498-mph5', 'GHSA= -ch3h-j2vf-95pv']<br>rubygem-actionview5-5.1.7: ['GHSA-65cv-r6x7-79= hv', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', '= ;GHSA-xq5j-gw7f-jgj8']<br>rubygem-actionview50-5.0.7.2: ['GHSA-65cv= -r6x7-79hv', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv= 9;, 'GHSA-xq5j-gw7f-jgj8']<br>rubygem-activerecord4-4.2.11.3: ['= ;GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749']<br>rubygem-active= record5-5.1.7: ['GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749'= ;, 'GHSA-8hc4-xxm3-5ppp']<br>rubygem-activerecord50-5.0.7.2: ['= GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749', 'GHSA-8hc4-xxm= 3-5ppp']<br>rubygem-activerecord52-5.2.8.1: ['GHSA-579w-22j4-4749&#= 39;]<br>rubygem-activerecord60-6.0.6.1: ['GHSA-579w-22j4-4749']<br>= rubygem-activeresource4-4.1.0: ['GHSA-46j2-xjgp-jrfm']<br>rubygem-a= ctivesupport4-4.2.11.3: ['GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw= -pm9j']<br>rubygem-activesupport5-5.1.7_1: ['GHSA-2p68-f74v-9wc6= 9;, 'GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j']<br>rubyge= m-activesupport50-5.0.7.2_1: ['GHSA-2p68-f74v-9wc6', 'GHSA-j6gc= -792m-qgm2', 'GHSA-pj73-v5mw-pm9j']<br>rubygem-activesupport52-= 5.2.8.1: ['GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j']<br>= rubygem-activesupport60-6.0.6.1: ['GHSA-j6gc-792m-qgm2', 'GHSA-= pj73-v5mw-pm9j']<br>rubygem-async-2.5.0: ['GHSA-fwr7-v2mv-hh25'= ]<br>rubygem-aws-sdk2-2.11.632: ['GHSA-rrc9-gqf8-8rwg']<br>rubygem-= base64-0.1.1: ['GHSA-x67x-vg9m-65c3', 'RUSTSEC-2017-0004']<= br>rubygem-bcrypt-3.1.18: ['GHSA-5wg4-74h6-q47v']<br>rubygem-bootst= rap-sass-3.4.1: ['GHSA-9v3m-8fp8-mj99']<br>rubygem-cairo-1.17.8: [&= #39;OSV-2023-298']<br>rubygem-cookiejar-0.3.3: ['GHSA-h452-7996-h45= h']<br>rubygem-cose-1.2.0: ['GHSA-746g-3gfp-hfhw']<br>rubygem-d= ebug-1.7.2: ['GHSA-9vvw-cc9w-f27h', 'GHSA-gxpj-cx7g-858c']<= br>rubygem-foreman-0.87.2: ['GHSA-xm28-fw2x-fqv2']<br>rubygem-gener= ator-0.0.1: ['GHSA-6c65-xcf5-299x', 'GHSA-h6gg-fvf5-qgwf', = 'GHSA-w3g5-2848-2v8r', 'RUSTSEC-2019-0020', 'RUSTSEC-20= 20-0151']<br>rubygem-globalid-0.4.2: ['GHSA-23c2-gwp5-pxw9']<br= >rubygem-gon-rails5-6.2.1: ['GHSA-78vq-9j56-wrfr']<br>rubygem-gon-r= ails50-6.2.1: ['GHSA-78vq-9j56-wrfr']<br>rubygem-httparty-0.20.0: [= 'GHSA-5pq7-52mg-hr42']<br>rubygem-ini-0.1.1: ['GHSA-qqgx-2p2h-9= c37']<br>rubygem-json-2.6.3: ['GHSA-3c6g-pvg8-gqw2']<br>rubygem= -json1-1.8.6: ['GHSA-3c6g-pvg8-gqw2', 'GHSA-jphg-qwrw-7w9g'= ]<br>rubygem-kramdown1-1.17.0: ['GHSA-52p9-v744-mwjj', 'GHSA-mq= m2-cgpr-p4m6']<br>rubygem-mqtt-0.6.0: ['GHSA-hg78-c92r-hvwr']<b= r>rubygem-mustache-1.1.1: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37= jv-2c58']<br>rubygem-mustache0-0.99.8: ['GHSA-3233-rgx3-c2wh', = 'GHSA-w3w8-37jv-2c58']<br>rubygem-mysql-2.9.1_1: ['GHSA-5f7m-mm= pc-qhh4']<br>rubygem-netaddr-2.0.1: ['GHSA-49pj-69vf-c689']<br>= rubygem-nokogiri111-1.11.7_2: ['GHSA-2qc6-mcvw-92cw', 'GHSA-2rr= 5-8q37-2w7h', 'GHSA-cgx6-hpwq-fhv5', 'GHSA-crjr-9rc5-ghw8&#= 39;, 'GHSA-fq42-c5rg-92c2', 'GHSA-gx8x-g87m-h5q6', 'GHS= A-pxvg-2qj5-37jq', 'GHSA-v6gp-9mmm-c6p5', 'GHSA-xh29-r2w5-w= x8m', 'GHSA-xxx9-3xcr-gjj3']<br>rubygem-omniauth1-1.9.2_1: [= 9;GHSA-ww4x-rwq6-qpgf']<br>rubygem-oxidized-web-0.13.1_4: ['GHSA-8q= wh-rm6c-jv96']<br>rubygem-pdfkit-0.8.7: ['GHSA-rhwx-hjx2-x4qr']= <br>rubygem-pg-1.4.6: ['GHSA-wc9v-mj63-m9g5']<br>rubygem-pg13-1.3.5= : ['GHSA-wc9v-mj63-m9g5']<br>rubygem-pghero-rails5-2.8.3: ['GHS= A-vf99-xw26-86g5']<br>rubygem-pghero-rails50-2.8.3: ['GHSA-vf99-xw2= 6-86g5']<br>rubygem-rack16-1.6.13: ['GHSA-3h57-hmj3-gj3p', '= ;GHSA-5f9h-9pjv-v6j7', 'GHSA-65f5-mfpf-vfhj', 'GHSA-hxqx-xw= vh-44m2', 'GHSA-j6w9-fv6q-3q52', 'GHSA-wq4h-7r42-5hrr']= <br>rubygem-rails4-4.2.11.3: ['GHSA-579w-22j4-4749', 'GHSA-7wjx= -3g7j-8584', 'GHSA-9chr-4fjh-5rgw', 'GHSA-cfjv-5498-mph5= 9;, 'GHSA-ch3h-j2vf-95pv']<br>rubygem-rails5-5.1.7_2: ['GHSA-57= 9w-22j4-4749', 'GHSA-7wjx-3g7j-8584', 'GHSA-9chr-4fjh-5rgw&= #39;, 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GH= SA-wh98-p28r-vrc9']<br>rubygem-rails50-5.0.7.2_2: ['GHSA-579w-22j4-= 4749', 'GHSA-7wjx-3g7j-8584', 'GHSA-9chr-4fjh-5rgw', &#= 39;GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GHSA-wh98-= p28r-vrc9']<br>rubygem-rails52-5.2.8.1: ['GHSA-579w-22j4-4749',= 'GHSA-9chr-4fjh-5rgw']<br>rubygem-sanitize-6.0.0: ['GHSA-fw3g-= 2h3j-qmm7']<br>rubygem-simple_form-4.0.0: ['GHSA-r74q-gxcg-73hx'= ;]<br>rubygem-sinatra1-1.4.8: ['GHSA-qp49-3pvw-x4m5']<br>rubygem-te= rser-1.0.2: ['GHSA-4wf5-vphf-c2xc']<br>rubygem-terser11-1.1.14: [&#= 39;GHSA-4wf5-vphf-c2xc']<br>rubygem-time-0.2.2: ['GHSA-wcg3-cvx6-73= 96']<br>rubygem-tweetstream-2.6.1_1: ['GHSA-6hrm-jqp3-64cv']<br= >rubygem-twitter-stream-0.1.16_2: ['GHSA-p6p8-q4pj-f74m']<br>rubyge= m-unicode-0.4.4.4: ['GHSA-qjf4-7642-c57p']<br>rubygem-useragent-0.1= 6.10: ['GHSA-pjmx-9xr3-82qr']<br>send-0.3_4: ['GHSA-jgqf-hwc5-h= h37', 'GHSA-pgv6-jrvv-75jp', 'GHSA-xwg4-93c6-3h42']<br>= showdown-0.6_3: ['GHSA-h6mq-3cj6-h738']<br>svg2png-0.1.3_6: ['G= HSA-mpp5-2x55-49xw']<br>tidy-html5-5.8.0_2: ['OSV-2020-1427', &= #39;OSV-2020-1440']<br>ua_parser-core-0.5.0_1: ['GHSA-fx7m-j728-mjw= 3']<br>unicorn-1.0.2: ['OSV-2020-1373', 'OSV-2020-1409'= , 'OSV-2020-1410', 'OSV-2020-2180', 'OSV-2020-2305'= , 'OSV-2020-802', 'OSV-2020-825', 'OSV-2020-837', &= #39;OSV-2021-1046', 'OSV-2021-1230', 'OSV-2021-307', &#= 39;OSV-2021-345', 'PYSEC-2021-868']<br>vmd-1.9.4: ['GHSA-pf= r3-87q3-65rc']<br>wabt-1.0.32: ['OSV-2021-1241', 'OSV-2022-= 1248', 'OSV-2022-1261', 'OSV-2022-1263', 'OSV-2022-= 916']<br>wasm3-0.5.0_2: ['GHSA-77fq-4xf5-hph4', 'GHSA-crf8-= h2wq-2h9x']<br>webbrowser-0.3: ['GHSA-m589-mv4q-p7rj']<br>zh-op= encc-1.0.5_3: ['GHSA-9qh2-6fxg-9m4g']<br><br></div>Best regards,<br= > </div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">= Le=C2=A0mar. 4 avr. 2023 =C3=A0=C2=A012:31, Hubert Tournier <<a href=3D"= mailto:hubert.tournier@gmail.com">hubert.tournier@gmail.com</a>> a =C3= =A9crit=C2=A0:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0= px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><= div dir=3D"auto">I=E2=80=99m OK to do the OSV tool.</div><div dir=3D"auto">= <br></div><div dir=3D"auto">Best regards,</div><div><br><div class=3D"gmail= _quote"><div dir=3D"ltr" class=3D"gmail_attr">Le=C2=A0mar. 4 avr. 2023 =C3= =A0 11:58, void <<a href=3D"mailto:void@f-m.fm" target=3D"_blank">void@f= -m.fm</a>> a =C3=A9crit=C2=A0:<br></div><blockquote class=3D"gmail_quote= " style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);= padding-left:1ex">On Sun, Mar 26, 2023 at 12:16:53PM +0200, Hubert Tournier= wrote:<br> >Hello,<br> ><br> >While working on pipinfo <<a href=3D"https://github.com/HubTou/pipin= fo" rel=3D"noreferrer" target=3D"_blank">https://github.com/HubTou/pipinfo<= /a>>, an<br> >alternative Python packages management tool, I noticed that some Python= <br> >packages installed as FreeBSD ports where marked as vulnerable by the P= ython<br> >Packaging Authority<br> ><<a href=3D"https://warehouse.pypa.io/api-reference/json.html#known-= vulnerabilities" rel=3D"noreferrer" target=3D"_blank">https://warehouse.pyp= a.io/api-reference/json.html#known-vulnerabilities</a>><br> >but not in FreeBSD VuXML <<a href=3D"https://www.vuxml.org/freebsd/i= ndex.html" rel=3D"noreferrer" target=3D"_blank">https://www.vuxml.org/freeb= sd/index.html</a>> ports<br> >security database.<br> ><br> >So I made a pysec2vuxml <<a href=3D"https://github.com/HubTou/pysec2= vuxml" rel=3D"noreferrer" target=3D"_blank">https://github.com/HubTou/pysec= 2vuxml</a>> tool to<br> >check the 4.000+ FreeBSD ports for Python packages and found 45 of them= <br> >vulnerable and unreported<br> ><<a href=3D"https://github.com/HubTou/pysec2vuxml/blob/main/results.= txt" rel=3D"noreferrer" target=3D"_blank">https://github.com/HubTou/pysec2v= uxml/blob/main/results.txt</a>>.<br> ><br> >I started producing new VuXML entries<br> ><<a href=3D"https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_ne= wentries.txt" rel=3D"noreferrer" target=3D"_blank">https://github.com/HubTo= u/pysec2vuxml/blob/main/vuxml_newentries.txt</a>> for<br> >these vulnerable ports. *Please tell me if it's worth pursuing this= effort?*<br> ><br> >In order to verify if these vulnerable ports where also marked as<br> >vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and= got<br> >carried away writing a whole utility, vuxml<br> ><<a href=3D"https://github.com/HubTou/vuxml" rel=3D"noreferrer" targ= et=3D"_blank">https://github.com/HubTou/vuxml</a>>, to demonstrate its u= se. This could be of<br> >general interest to some of you?<br> ><br> >Best regards,<br> ><br> >PS: this approach could be extended to Rust crates, Ruby gems and so on= <br> >with the vulnerabilities described in the OSV <<a href=3D"https://os= v.dev/" rel=3D"noreferrer" target=3D"_blank">https://osv.dev/</a>>...<br= > <br> +1 ^^^ really good idea<br> <br> Probably best to ask in freebsd-hackers@ as devs are likely to <br> read this there<br> -- <br> </blockquote></div></div> </blockquote></div> --00000000000016d42605fa03bd94--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADr%2Bmw92ReA06UC5HRPaha415%2B6j=%2BxGsXiHwfGxGX6HpqFbBQ>