diff --git a/audits/alot-requirements.audit.json b/audits/alot-requirements.audit.json index 78f14649..21695b89 100644 --- a/audits/alot-requirements.audit.json +++ b/audits/alot-requirements.audit.json @@ -8,7 +8,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-18T15:45:07Z", + "modified": "2023-11-03T21:48:20Z", "published": "2023-04-03T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-c33w-24p9-8m24", @@ -89,6 +89,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK/" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK/" + }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494" @@ -122,7 +126,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-27T21:07:15Z", + "modified": "2023-11-03T16:01:50Z", "published": "2023-10-25T21:15:13Z", "schema_version": "1.6.0", "id": "GHSA-xc8x-vp79-p3wm", @@ -130,7 +134,7 @@ "CVE-2023-46137" ], "summary": "twisted.web has disordered HTTP pipeline response", - "details": "### Summary\nWhen sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order.\n\n### Details\nThere's an example faulty program:\n```python\nfrom twisted.internet import reactor, endpoints\nfrom twisted.web import server\nfrom twisted.web.proxy import ReverseProxyResource\nfrom twisted.web.resource import Resource\n\nclass Second(Resource):\n isLeaf = True\n def render_GET(self, request):\n return b'SECOND\\n'\n\nclass First(Resource):\n isLeaf = True\n def render_GET(self, request):\n def send_response():\n request.write(b'FIRST DELAYED\\n')\n request.finish()\n reactor.callLater(0.5, send_response)\n return server.NOT_DONE_YET\n\nroot = Resource()\n\nroot.putChild(b'second', Second())\nroot.putChild(b'first', First())\n\nendpoint = endpoints.TCP4ServerEndpoint(reactor, 8080)\nendpoint.listen(server.Site(root))\nreactor.run()\n```\n\nWhen two requests for `/first` and `/second` are sent in the same order, the second request will be responded to first.\n```shell\necho -en \"GET /first HTTP/1.1\\r\\nHost: a\\r\\n\\r\\nGET /second HTTP/1.1\\r\\nHost: a\\r\\n\\r\\n\" | nc localhost 8080\n```\n\n### Impact\nIf one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline.", + "details": "Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.\n\n### Details\nThere's an example faulty program:\n```python\nfrom twisted.internet import reactor, endpoints\nfrom twisted.web import server\nfrom twisted.web.proxy import ReverseProxyResource\nfrom twisted.web.resource import Resource\n\nclass Second(Resource):\n isLeaf = True\n def render_GET(self, request):\n return b'SECOND\\n'\n\nclass First(Resource):\n isLeaf = True\n def render_GET(self, request):\n def send_response():\n request.write(b'FIRST DELAYED\\n')\n request.finish()\n reactor.callLater(0.5, send_response)\n return server.NOT_DONE_YET\n\nroot = Resource()\n\nroot.putChild(b'second', Second())\nroot.putChild(b'first', First())\n\nendpoint = endpoints.TCP4ServerEndpoint(reactor, 8080)\nendpoint.listen(server.Site(root))\nreactor.run()\n```\n\nWhen two requests for `/first` and `/second` are sent in the same order, the second request will be responded to first.\n```shell\necho -en \"GET /first HTTP/1.1\\r\\nHost: a\\r\\n\\r\\nGET /second HTTP/1.1\\r\\nHost: a\\r\\n\\r\\n\" | nc localhost 8080\n```", "affected": [ { "package": { @@ -268,6 +272,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46137" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/twisted/PYSEC-2023-224.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/twisted/twisted" @@ -279,15 +287,162 @@ ], "github_reviewed": true, "github_reviewed_at": "2023-10-25T21:15:13Z", - "nvd_published_at": null, + "nvd_published_at": "2023-10-25T21:15:10Z", "severity": "MODERATE" } + }, + { + "modified": "2023-11-02T16:33:16Z", + "published": "2023-10-25T21:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-224", + "aliases": [ + "CVE-2023-46137", + "GHSA-xc8x-vp79-p3wm" + ], + "details": "Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "twisted", + "purl": "pkg:pypi/twisted" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "23.10.0rc1" + } + ] + } + ], + "versions": [ + "1.0.1", + "1.0.3", + "1.0.4", + "1.0.5", + "1.0.6", + "1.0.7", + "1.1.0", + "1.1.1", + "1.2.0", + "10.0.0", + "10.1.0", + "10.2.0", + "11.0.0", + "11.1.0", + "12.0.0", + "12.1.0", + "12.2.0", + "12.3.0", + "13.0.0", + "13.1.0", + "13.2.0", + "14.0.0", + "14.0.1", + "14.0.2", + "15.0.0", + "15.1.0", + "15.2.0", + "15.2.1", + "15.3.0", + "15.4.0", + "15.5.0", + "16.0.0", + "16.1.0", + "16.1.1", + "16.2.0", + "16.3.0", + "16.3.1", + "16.3.2", + "16.4.0", + "16.4.1", + "16.5.0", + "16.5.0rc1", + "16.5.0rc2", + "16.6.0", + "16.6.0rc1", + "16.7.0rc1", + "16.7.0rc2", + "17.1.0", + "17.1.0rc1", + "17.5.0", + "17.9.0", + "17.9.0rc1", + "18.4.0", + "18.4.0rc1", + "18.7.0", + "18.7.0rc1", + "18.7.0rc2", + "18.9.0", + "18.9.0rc1", + "19.10.0", + "19.10.0rc1", + "19.2.0", + "19.2.0rc1", + "19.2.0rc2", + "19.2.1", + "19.7.0", + "19.7.0rc1", + "2.1.0", + "2.4.0", + "2.5.0", + "20.3.0", + "20.3.0rc1", + "21.2.0", + "21.2.0rc1", + "21.7.0", + "21.7.0rc1", + "21.7.0rc2", + "21.7.0rc3", + "22.1.0", + "22.1.0rc1", + "22.2.0", + "22.2.0rc1", + "22.4.0", + "22.4.0rc1", + "22.8.0", + "22.8.0rc1", + "22.8.0", + "22.10.0rc1", + "22.10.0", + "23.8.0rc1", + "23.8.0", + "8.0.0", + "8.0.1", + "8.1.0", + "8.2.0", + "9.0.0" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/twisted/PYSEC-2023-224.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm" + } + ] } ], "groups": [ { "ids": [ - "GHSA-xc8x-vp79-p3wm" + "GHSA-xc8x-vp79-p3wm", + "PYSEC-2023-224" ] } ] diff --git a/audits/anime-downloader-requirements.audit.json b/audits/anime-downloader-requirements.audit.json index d7e94876..d70e95f3 100644 --- a/audits/anime-downloader-requirements.audit.json +++ b/audits/anime-downloader-requirements.audit.json @@ -541,7 +541,7 @@ } }, { - "modified": "2023-10-22T05:29:54Z", + "modified": "2023-11-04T00:48:52Z", "published": "2023-10-02T23:27:05Z", "schema_version": "1.6.0", "id": "GHSA-v845-jxx5-vc9f", @@ -722,6 +722,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/" @@ -737,7 +741,7 @@ ], "github_reviewed": true, "github_reviewed_at": "2023-10-02T23:27:05Z", - "nvd_published_at": null, + "nvd_published_at": "2023-10-04T17:15:10Z", "severity": "MODERATE" } }, diff --git a/audits/athenacli-requirements.audit.json b/audits/athenacli-requirements.audit.json index 87343bfd..9088d561 100644 --- a/audits/athenacli-requirements.audit.json +++ b/audits/athenacli-requirements.audit.json @@ -8,7 +8,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-18T15:45:07Z", + "modified": "2023-11-03T21:48:20Z", "published": "2023-04-03T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-c33w-24p9-8m24", @@ -89,6 +89,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK/" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK/" + }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494" diff --git a/audits/aws-shell-requirements.audit.json b/audits/aws-shell-requirements.audit.json index 60526525..43303ad0 100644 --- a/audits/aws-shell-requirements.audit.json +++ b/audits/aws-shell-requirements.audit.json @@ -8,7 +8,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-18T15:45:07Z", + "modified": "2023-11-03T21:48:20Z", "published": "2023-04-03T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-c33w-24p9-8m24", @@ -89,6 +89,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK/" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK/" + }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494" diff --git a/audits/azure-cli-requirements.audit.json b/audits/azure-cli-requirements.audit.json index 7fddcc67..8b63499f 100644 --- a/audits/azure-cli-requirements.audit.json +++ b/audits/azure-cli-requirements.audit.json @@ -223,7 +223,7 @@ } }, { - "modified": "2023-10-22T05:29:54Z", + "modified": "2023-11-04T00:48:52Z", "published": "2023-10-02T23:27:05Z", "schema_version": "1.6.0", "id": "GHSA-v845-jxx5-vc9f", @@ -404,6 +404,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/" @@ -419,7 +423,7 @@ ], "github_reviewed": true, "github_reviewed_at": "2023-10-02T23:27:05Z", - "nvd_published_at": null, + "nvd_published_at": "2023-10-04T17:15:10Z", "severity": "MODERATE" } }, diff --git a/audits/breezy-requirements.audit.json b/audits/breezy-requirements.audit.json index 60526525..43303ad0 100644 --- a/audits/breezy-requirements.audit.json +++ b/audits/breezy-requirements.audit.json @@ -8,7 +8,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-18T15:45:07Z", + "modified": "2023-11-03T21:48:20Z", "published": "2023-04-03T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-c33w-24p9-8m24", @@ -89,6 +89,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK/" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK/" + }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494" diff --git a/audits/buku-requirements.audit.json b/audits/buku-requirements.audit.json index afee8ed7..408356a6 100644 --- a/audits/buku-requirements.audit.json +++ b/audits/buku-requirements.audit.json @@ -223,7 +223,7 @@ } }, { - "modified": "2023-10-22T05:29:54Z", + "modified": "2023-11-04T00:48:52Z", "published": "2023-10-02T23:27:05Z", "schema_version": "1.6.0", "id": "GHSA-v845-jxx5-vc9f", @@ -404,6 +404,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/" @@ -419,7 +423,7 @@ ], "github_reviewed": true, "github_reviewed_at": "2023-10-02T23:27:05Z", - "nvd_published_at": null, + "nvd_published_at": "2023-10-04T17:15:10Z", "severity": "MODERATE" } }, diff --git a/audits/bzt-requirements.audit.json b/audits/bzt-requirements.audit.json index 7fddcc67..8b63499f 100644 --- a/audits/bzt-requirements.audit.json +++ b/audits/bzt-requirements.audit.json @@ -223,7 +223,7 @@ } }, { - "modified": "2023-10-22T05:29:54Z", + "modified": "2023-11-04T00:48:52Z", "published": "2023-10-02T23:27:05Z", "schema_version": "1.6.0", "id": "GHSA-v845-jxx5-vc9f", @@ -404,6 +404,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/" @@ -419,7 +423,7 @@ ], "github_reviewed": true, "github_reviewed_at": "2023-10-02T23:27:05Z", - "nvd_published_at": null, + "nvd_published_at": "2023-10-04T17:15:10Z", "severity": "MODERATE" } }, diff --git a/audits/certbot-requirements.audit.json b/audits/certbot-requirements.audit.json index 60526525..43303ad0 100644 --- a/audits/certbot-requirements.audit.json +++ b/audits/certbot-requirements.audit.json @@ -8,7 +8,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-18T15:45:07Z", + "modified": "2023-11-03T21:48:20Z", "published": "2023-04-03T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-c33w-24p9-8m24", @@ -89,6 +89,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK/" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK/" + }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494" diff --git a/audits/charm-tools-requirements.audit.json b/audits/charm-tools-requirements.audit.json index 2c0dd79b..db3a1e30 100644 --- a/audits/charm-tools-requirements.audit.json +++ b/audits/charm-tools-requirements.audit.json @@ -215,12 +215,200 @@ "nvd_published_at": null, "severity": "MODERATE" } + }, + { + "modified": "2023-11-03T16:28:41Z", + "published": "2023-10-25T18:17:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-228", + "aliases": [ + "CVE-2023-5752" + ], + "details": "When installing a package from a Mercurial VCS URL (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "pip", + "purl": "pkg:pypi/pip" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "23.3" + } + ] + } + ], + "versions": [ + "0.2", + "0.2.1", + "0.3", + "0.3.1", + "0.4", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.6.3", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "1.0", + "1.0.1", + "1.0.2", + "1.1", + "1.2", + "1.2.1", + "1.3", + "1.3.1", + "1.4", + "1.4.1", + "1.5", + "1.5.1", + "1.5.2", + "1.5.3", + "1.5.4", + "1.5.5", + "1.5.6", + "10.0.0", + "10.0.0b1", + "10.0.0b2", + "10.0.1", + "18.0", + "18.1", + "19.0", + "19.0.1", + "19.0.2", + "19.0.3", + "19.1", + "19.1.1", + "19.2", + "19.2.1", + "19.2.2", + "19.2.3", + "19.3", + "19.3.1", + "20.0", + "20.0.1", + "20.0.2", + "20.1", + "20.1.1", + "20.1b1", + "20.2", + "20.2.1", + "20.2.2", + "20.2.3", + "20.2.4", + "20.2b1", + "20.3", + "20.3.1", + "20.3.2", + "20.3.3", + "20.3.4", + "20.3b1", + "21.0", + "21.0.1", + "21.1", + "21.1.1", + "21.1.2", + "21.1.3", + "21.2", + "21.2.1", + "21.2.2", + "21.2.3", + "21.2.4", + "21.3", + "21.3.1", + "22.0", + "22.0.1", + "22.0.2", + "22.0.3", + "22.0.4", + "22.1", + "22.1.1", + "22.1.2", + "22.1b1", + "22.2", + "22.2.1", + "22.2.2", + "22.3", + "22.3.1", + "23.0", + "23.0.1", + "23.1", + "23.1.1", + "23.1.2", + "23.2", + "23.2.1", + "6.0", + "6.0.1", + "6.0.2", + "6.0.3", + "6.0.4", + "6.0.5", + "6.0.6", + "6.0.7", + "6.0.8", + "6.1.0", + "6.1.1", + "7.0.0", + "7.0.1", + "7.0.2", + "7.0.3", + "7.1.0", + "7.1.1", + "7.1.2", + "8.0.0", + "8.0.1", + "8.0.2", + "8.0.3", + "8.1.0", + "8.1.1", + "8.1.2", + "9.0.0", + "9.0.1", + "9.0.2", + "9.0.3" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/pip/PYSEC-2023-228.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/" + }, + { + "type": "FIX", + "url": "https://github.com/pypa/pip/pull/12306" + } + ] } ], "groups": [ { "ids": [ - "GHSA-mq26-g339-26xf" + "GHSA-mq26-g339-26xf", + "PYSEC-2023-228" ] } ] diff --git a/audits/dvc-requirements.audit.json b/audits/dvc-requirements.audit.json index 60526525..43303ad0 100644 --- a/audits/dvc-requirements.audit.json +++ b/audits/dvc-requirements.audit.json @@ -8,7 +8,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-18T15:45:07Z", + "modified": "2023-11-03T21:48:20Z", "published": "2023-04-03T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-c33w-24p9-8m24", @@ -89,6 +89,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK/" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK/" + }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494" diff --git a/audits/fdroidserver-requirements.audit.json b/audits/fdroidserver-requirements.audit.json index 3cccb771..73ea33f0 100644 --- a/audits/fdroidserver-requirements.audit.json +++ b/audits/fdroidserver-requirements.audit.json @@ -565,7 +565,7 @@ } }, { - "modified": "2023-10-22T05:29:54Z", + "modified": "2023-11-04T00:48:52Z", "published": "2023-10-02T23:27:05Z", "schema_version": "1.6.0", "id": "GHSA-v845-jxx5-vc9f", @@ -746,6 +746,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/" @@ -761,7 +765,7 @@ ], "github_reviewed": true, "github_reviewed_at": "2023-10-02T23:27:05Z", - "nvd_published_at": null, + "nvd_published_at": "2023-10-04T17:15:10Z", "severity": "MODERATE" } }, diff --git a/audits/flintrock-requirements.audit.json b/audits/flintrock-requirements.audit.json index 307d5434..5cafc03c 100644 --- a/audits/flintrock-requirements.audit.json +++ b/audits/flintrock-requirements.audit.json @@ -425,7 +425,7 @@ } }, { - "modified": "2023-10-22T05:29:54Z", + "modified": "2023-11-04T00:48:52Z", "published": "2023-10-02T23:27:05Z", "schema_version": "1.6.0", "id": "GHSA-v845-jxx5-vc9f", @@ -606,6 +606,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/" @@ -621,7 +625,7 @@ ], "github_reviewed": true, "github_reviewed_at": "2023-10-02T23:27:05Z", - "nvd_published_at": null, + "nvd_published_at": "2023-10-04T17:15:10Z", "severity": "MODERATE" } }, diff --git a/audits/gyb-requirements.audit.json b/audits/gyb-requirements.audit.json index 7fddcc67..8b63499f 100644 --- a/audits/gyb-requirements.audit.json +++ b/audits/gyb-requirements.audit.json @@ -223,7 +223,7 @@ } }, { - "modified": "2023-10-22T05:29:54Z", + "modified": "2023-11-04T00:48:52Z", "published": "2023-10-02T23:27:05Z", "schema_version": "1.6.0", "id": "GHSA-v845-jxx5-vc9f", @@ -404,6 +404,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/" @@ -419,7 +423,7 @@ ], "github_reviewed": true, "github_reviewed_at": "2023-10-02T23:27:05Z", - "nvd_published_at": null, + "nvd_published_at": "2023-10-04T17:15:10Z", "severity": "MODERATE" } }, diff --git a/audits/iredis-requirements.audit.json b/audits/iredis-requirements.audit.json index 60526525..43303ad0 100644 --- a/audits/iredis-requirements.audit.json +++ b/audits/iredis-requirements.audit.json @@ -8,7 +8,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-18T15:45:07Z", + "modified": "2023-11-03T21:48:20Z", "published": "2023-04-03T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-c33w-24p9-8m24", @@ -89,6 +89,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK/" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK/" + }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494" diff --git a/audits/khal-requirements.audit.json b/audits/khal-requirements.audit.json index 60526525..43303ad0 100644 --- a/audits/khal-requirements.audit.json +++ b/audits/khal-requirements.audit.json @@ -8,7 +8,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-18T15:45:07Z", + "modified": "2023-11-03T21:48:20Z", "published": "2023-04-03T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-c33w-24p9-8m24", @@ -89,6 +89,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK/" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK/" + }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494" diff --git a/audits/khard-requirements.audit.json b/audits/khard-requirements.audit.json index 60526525..43303ad0 100644 --- a/audits/khard-requirements.audit.json +++ b/audits/khard-requirements.audit.json @@ -8,7 +8,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-18T15:45:07Z", + "modified": "2023-11-03T21:48:20Z", "published": "2023-04-03T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-c33w-24p9-8m24", @@ -89,6 +89,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK/" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK/" + }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494" diff --git a/audits/litecli-requirements.audit.json b/audits/litecli-requirements.audit.json index 60526525..43303ad0 100644 --- a/audits/litecli-requirements.audit.json +++ b/audits/litecli-requirements.audit.json @@ -8,7 +8,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-18T15:45:07Z", + "modified": "2023-11-03T21:48:20Z", "published": "2023-04-03T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-c33w-24p9-8m24", @@ -89,6 +89,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK/" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK/" + }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494" diff --git a/audits/magic-wormhole-requirements.audit.json b/audits/magic-wormhole-requirements.audit.json index c3c16278..ee809a50 100644 --- a/audits/magic-wormhole-requirements.audit.json +++ b/audits/magic-wormhole-requirements.audit.json @@ -8,7 +8,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-27T21:07:15Z", + "modified": "2023-11-03T16:01:50Z", "published": "2023-10-25T21:15:13Z", "schema_version": "1.6.0", "id": "GHSA-xc8x-vp79-p3wm", @@ -16,7 +16,7 @@ "CVE-2023-46137" ], "summary": "twisted.web has disordered HTTP pipeline response", - "details": "### Summary\nWhen sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order.\n\n### Details\nThere's an example faulty program:\n```python\nfrom twisted.internet import reactor, endpoints\nfrom twisted.web import server\nfrom twisted.web.proxy import ReverseProxyResource\nfrom twisted.web.resource import Resource\n\nclass Second(Resource):\n isLeaf = True\n def render_GET(self, request):\n return b'SECOND\\n'\n\nclass First(Resource):\n isLeaf = True\n def render_GET(self, request):\n def send_response():\n request.write(b'FIRST DELAYED\\n')\n request.finish()\n reactor.callLater(0.5, send_response)\n return server.NOT_DONE_YET\n\nroot = Resource()\n\nroot.putChild(b'second', Second())\nroot.putChild(b'first', First())\n\nendpoint = endpoints.TCP4ServerEndpoint(reactor, 8080)\nendpoint.listen(server.Site(root))\nreactor.run()\n```\n\nWhen two requests for `/first` and `/second` are sent in the same order, the second request will be responded to first.\n```shell\necho -en \"GET /first HTTP/1.1\\r\\nHost: a\\r\\n\\r\\nGET /second HTTP/1.1\\r\\nHost: a\\r\\n\\r\\n\" | nc localhost 8080\n```\n\n### Impact\nIf one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline.", + "details": "Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.\n\n### Details\nThere's an example faulty program:\n```python\nfrom twisted.internet import reactor, endpoints\nfrom twisted.web import server\nfrom twisted.web.proxy import ReverseProxyResource\nfrom twisted.web.resource import Resource\n\nclass Second(Resource):\n isLeaf = True\n def render_GET(self, request):\n return b'SECOND\\n'\n\nclass First(Resource):\n isLeaf = True\n def render_GET(self, request):\n def send_response():\n request.write(b'FIRST DELAYED\\n')\n request.finish()\n reactor.callLater(0.5, send_response)\n return server.NOT_DONE_YET\n\nroot = Resource()\n\nroot.putChild(b'second', Second())\nroot.putChild(b'first', First())\n\nendpoint = endpoints.TCP4ServerEndpoint(reactor, 8080)\nendpoint.listen(server.Site(root))\nreactor.run()\n```\n\nWhen two requests for `/first` and `/second` are sent in the same order, the second request will be responded to first.\n```shell\necho -en \"GET /first HTTP/1.1\\r\\nHost: a\\r\\n\\r\\nGET /second HTTP/1.1\\r\\nHost: a\\r\\n\\r\\n\" | nc localhost 8080\n```", "affected": [ { "package": { @@ -154,6 +154,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46137" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/twisted/PYSEC-2023-224.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/twisted/twisted" @@ -165,15 +169,162 @@ ], "github_reviewed": true, "github_reviewed_at": "2023-10-25T21:15:13Z", - "nvd_published_at": null, + "nvd_published_at": "2023-10-25T21:15:10Z", "severity": "MODERATE" } + }, + { + "modified": "2023-11-02T16:33:16Z", + "published": "2023-10-25T21:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-224", + "aliases": [ + "CVE-2023-46137", + "GHSA-xc8x-vp79-p3wm" + ], + "details": "Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "twisted", + "purl": "pkg:pypi/twisted" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "23.10.0rc1" + } + ] + } + ], + "versions": [ + "1.0.1", + "1.0.3", + "1.0.4", + "1.0.5", + "1.0.6", + "1.0.7", + "1.1.0", + "1.1.1", + "1.2.0", + "10.0.0", + "10.1.0", + "10.2.0", + "11.0.0", + "11.1.0", + "12.0.0", + "12.1.0", + "12.2.0", + "12.3.0", + "13.0.0", + "13.1.0", + "13.2.0", + "14.0.0", + "14.0.1", + "14.0.2", + "15.0.0", + "15.1.0", + "15.2.0", + "15.2.1", + "15.3.0", + "15.4.0", + "15.5.0", + "16.0.0", + "16.1.0", + "16.1.1", + "16.2.0", + "16.3.0", + "16.3.1", + "16.3.2", + "16.4.0", + "16.4.1", + "16.5.0", + "16.5.0rc1", + "16.5.0rc2", + "16.6.0", + "16.6.0rc1", + "16.7.0rc1", + "16.7.0rc2", + "17.1.0", + "17.1.0rc1", + "17.5.0", + "17.9.0", + "17.9.0rc1", + "18.4.0", + "18.4.0rc1", + "18.7.0", + "18.7.0rc1", + "18.7.0rc2", + "18.9.0", + "18.9.0rc1", + "19.10.0", + "19.10.0rc1", + "19.2.0", + "19.2.0rc1", + "19.2.0rc2", + "19.2.1", + "19.7.0", + "19.7.0rc1", + "2.1.0", + "2.4.0", + "2.5.0", + "20.3.0", + "20.3.0rc1", + "21.2.0", + "21.2.0rc1", + "21.7.0", + "21.7.0rc1", + "21.7.0rc2", + "21.7.0rc3", + "22.1.0", + "22.1.0rc1", + "22.2.0", + "22.2.0rc1", + "22.4.0", + "22.4.0rc1", + "22.8.0", + "22.8.0rc1", + "22.8.0", + "22.10.0rc1", + "22.10.0", + "23.8.0rc1", + "23.8.0", + "8.0.0", + "8.0.1", + "8.1.0", + "8.2.0", + "9.0.0" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/twisted/PYSEC-2023-224.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm" + } + ] } ], "groups": [ { "ids": [ - "GHSA-xc8x-vp79-p3wm" + "GHSA-xc8x-vp79-p3wm", + "PYSEC-2023-224" ] } ] diff --git a/audits/mycli-requirements.audit.json b/audits/mycli-requirements.audit.json index 60526525..43303ad0 100644 --- a/audits/mycli-requirements.audit.json +++ b/audits/mycli-requirements.audit.json @@ -8,7 +8,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-18T15:45:07Z", + "modified": "2023-11-03T21:48:20Z", "published": "2023-04-03T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-c33w-24p9-8m24", @@ -89,6 +89,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK/" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK/" + }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494" diff --git a/audits/onlykey-agent-requirements.audit.json b/audits/onlykey-agent-requirements.audit.json index 668fd2c5..930c237c 100644 --- a/audits/onlykey-agent-requirements.audit.json +++ b/audits/onlykey-agent-requirements.audit.json @@ -223,7 +223,7 @@ } }, { - "modified": "2023-10-22T05:29:54Z", + "modified": "2023-11-04T00:48:52Z", "published": "2023-10-02T23:27:05Z", "schema_version": "1.6.0", "id": "GHSA-v845-jxx5-vc9f", @@ -404,6 +404,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/" @@ -419,7 +423,7 @@ ], "github_reviewed": true, "github_reviewed_at": "2023-10-02T23:27:05Z", - "nvd_published_at": null, + "nvd_published_at": "2023-10-04T17:15:10Z", "severity": "MODERATE" } }, diff --git a/audits/openai-whisper-requirements.audit.json b/audits/openai-whisper-requirements.audit.json index 668fd2c5..930c237c 100644 --- a/audits/openai-whisper-requirements.audit.json +++ b/audits/openai-whisper-requirements.audit.json @@ -223,7 +223,7 @@ } }, { - "modified": "2023-10-22T05:29:54Z", + "modified": "2023-11-04T00:48:52Z", "published": "2023-10-02T23:27:05Z", "schema_version": "1.6.0", "id": "GHSA-v845-jxx5-vc9f", @@ -404,6 +404,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/" @@ -419,7 +423,7 @@ ], "github_reviewed": true, "github_reviewed_at": "2023-10-02T23:27:05Z", - "nvd_published_at": null, + "nvd_published_at": "2023-10-04T17:15:10Z", "severity": "MODERATE" } }, diff --git a/audits/pgcli-requirements.audit.json b/audits/pgcli-requirements.audit.json index 60526525..43303ad0 100644 --- a/audits/pgcli-requirements.audit.json +++ b/audits/pgcli-requirements.audit.json @@ -8,7 +8,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-18T15:45:07Z", + "modified": "2023-11-03T21:48:20Z", "published": "2023-04-03T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-c33w-24p9-8m24", @@ -89,6 +89,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK/" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK/" + }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494" diff --git a/audits/pypy-requirements.audit.json b/audits/pypy-requirements.audit.json index 90c323da..183d0227 100644 --- a/audits/pypy-requirements.audit.json +++ b/audits/pypy-requirements.audit.json @@ -558,6 +558,193 @@ "url": "https://github.com/advisories/GHSA-5xp3-jfq3-5q8x" } ] + }, + { + "modified": "2023-11-03T16:28:41Z", + "published": "2023-10-25T18:17:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-228", + "aliases": [ + "CVE-2023-5752" + ], + "details": "When installing a package from a Mercurial VCS URL (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "pip", + "purl": "pkg:pypi/pip" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "23.3" + } + ] + } + ], + "versions": [ + "0.2", + "0.2.1", + "0.3", + "0.3.1", + "0.4", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.6.3", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "1.0", + "1.0.1", + "1.0.2", + "1.1", + "1.2", + "1.2.1", + "1.3", + "1.3.1", + "1.4", + "1.4.1", + "1.5", + "1.5.1", + "1.5.2", + "1.5.3", + "1.5.4", + "1.5.5", + "1.5.6", + "10.0.0", + "10.0.0b1", + "10.0.0b2", + "10.0.1", + "18.0", + "18.1", + "19.0", + "19.0.1", + "19.0.2", + "19.0.3", + "19.1", + "19.1.1", + "19.2", + "19.2.1", + "19.2.2", + "19.2.3", + "19.3", + "19.3.1", + "20.0", + "20.0.1", + "20.0.2", + "20.1", + "20.1.1", + "20.1b1", + "20.2", + "20.2.1", + "20.2.2", + "20.2.3", + "20.2.4", + "20.2b1", + "20.3", + "20.3.1", + "20.3.2", + "20.3.3", + "20.3.4", + "20.3b1", + "21.0", + "21.0.1", + "21.1", + "21.1.1", + "21.1.2", + "21.1.3", + "21.2", + "21.2.1", + "21.2.2", + "21.2.3", + "21.2.4", + "21.3", + "21.3.1", + "22.0", + "22.0.1", + "22.0.2", + "22.0.3", + "22.0.4", + "22.1", + "22.1.1", + "22.1.2", + "22.1b1", + "22.2", + "22.2.1", + "22.2.2", + "22.3", + "22.3.1", + "23.0", + "23.0.1", + "23.1", + "23.1.1", + "23.1.2", + "23.2", + "23.2.1", + "6.0", + "6.0.1", + "6.0.2", + "6.0.3", + "6.0.4", + "6.0.5", + "6.0.6", + "6.0.7", + "6.0.8", + "6.1.0", + "6.1.1", + "7.0.0", + "7.0.1", + "7.0.2", + "7.0.3", + "7.1.0", + "7.1.1", + "7.1.2", + "8.0.0", + "8.0.1", + "8.0.2", + "8.0.3", + "8.1.0", + "8.1.1", + "8.1.2", + "9.0.0", + "9.0.1", + "9.0.2", + "9.0.3" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/pip/PYSEC-2023-228.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/" + }, + { + "type": "FIX", + "url": "https://github.com/pypa/pip/pull/12306" + } + ] } ], "groups": [ @@ -569,7 +756,8 @@ }, { "ids": [ - "GHSA-mq26-g339-26xf" + "GHSA-mq26-g339-26xf", + "PYSEC-2023-228" ] } ] diff --git a/audits/pypy3.10-requirements.audit.json b/audits/pypy3.10-requirements.audit.json index bda6d895..f6505fc4 100644 --- a/audits/pypy3.10-requirements.audit.json +++ b/audits/pypy3.10-requirements.audit.json @@ -215,12 +215,200 @@ "nvd_published_at": null, "severity": "MODERATE" } + }, + { + "modified": "2023-11-03T16:28:41Z", + "published": "2023-10-25T18:17:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-228", + "aliases": [ + "CVE-2023-5752" + ], + "details": "When installing a package from a Mercurial VCS URL (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "pip", + "purl": "pkg:pypi/pip" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "23.3" + } + ] + } + ], + "versions": [ + "0.2", + "0.2.1", + "0.3", + "0.3.1", + "0.4", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.6.3", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "1.0", + "1.0.1", + "1.0.2", + "1.1", + "1.2", + "1.2.1", + "1.3", + "1.3.1", + "1.4", + "1.4.1", + "1.5", + "1.5.1", + "1.5.2", + "1.5.3", + "1.5.4", + "1.5.5", + "1.5.6", + "10.0.0", + "10.0.0b1", + "10.0.0b2", + "10.0.1", + "18.0", + "18.1", + "19.0", + "19.0.1", + "19.0.2", + "19.0.3", + "19.1", + "19.1.1", + "19.2", + "19.2.1", + "19.2.2", + "19.2.3", + "19.3", + "19.3.1", + "20.0", + "20.0.1", + "20.0.2", + "20.1", + "20.1.1", + "20.1b1", + "20.2", + "20.2.1", + "20.2.2", + "20.2.3", + "20.2.4", + "20.2b1", + "20.3", + "20.3.1", + "20.3.2", + "20.3.3", + "20.3.4", + "20.3b1", + "21.0", + "21.0.1", + "21.1", + "21.1.1", + "21.1.2", + "21.1.3", + "21.2", + "21.2.1", + "21.2.2", + "21.2.3", + "21.2.4", + "21.3", + "21.3.1", + "22.0", + "22.0.1", + "22.0.2", + "22.0.3", + "22.0.4", + "22.1", + "22.1.1", + "22.1.2", + "22.1b1", + "22.2", + "22.2.1", + "22.2.2", + "22.3", + "22.3.1", + "23.0", + "23.0.1", + "23.1", + "23.1.1", + "23.1.2", + "23.2", + "23.2.1", + "6.0", + "6.0.1", + "6.0.2", + "6.0.3", + "6.0.4", + "6.0.5", + "6.0.6", + "6.0.7", + "6.0.8", + "6.1.0", + "6.1.1", + "7.0.0", + "7.0.1", + "7.0.2", + "7.0.3", + "7.1.0", + "7.1.1", + "7.1.2", + "8.0.0", + "8.0.1", + "8.0.2", + "8.0.3", + "8.1.0", + "8.1.1", + "8.1.2", + "9.0.0", + "9.0.1", + "9.0.2", + "9.0.3" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/pip/PYSEC-2023-228.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/" + }, + { + "type": "FIX", + "url": "https://github.com/pypa/pip/pull/12306" + } + ] } ], "groups": [ { "ids": [ - "GHSA-mq26-g339-26xf" + "GHSA-mq26-g339-26xf", + "PYSEC-2023-228" ] } ] diff --git a/audits/pypy3.9-requirements.audit.json b/audits/pypy3.9-requirements.audit.json index bda6d895..f6505fc4 100644 --- a/audits/pypy3.9-requirements.audit.json +++ b/audits/pypy3.9-requirements.audit.json @@ -215,12 +215,200 @@ "nvd_published_at": null, "severity": "MODERATE" } + }, + { + "modified": "2023-11-03T16:28:41Z", + "published": "2023-10-25T18:17:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-228", + "aliases": [ + "CVE-2023-5752" + ], + "details": "When installing a package from a Mercurial VCS URL (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "pip", + "purl": "pkg:pypi/pip" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "23.3" + } + ] + } + ], + "versions": [ + "0.2", + "0.2.1", + "0.3", + "0.3.1", + "0.4", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.6.3", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "1.0", + "1.0.1", + "1.0.2", + "1.1", + "1.2", + "1.2.1", + "1.3", + "1.3.1", + "1.4", + "1.4.1", + "1.5", + "1.5.1", + "1.5.2", + "1.5.3", + "1.5.4", + "1.5.5", + "1.5.6", + "10.0.0", + "10.0.0b1", + "10.0.0b2", + "10.0.1", + "18.0", + "18.1", + "19.0", + "19.0.1", + "19.0.2", + "19.0.3", + "19.1", + "19.1.1", + "19.2", + "19.2.1", + "19.2.2", + "19.2.3", + "19.3", + "19.3.1", + "20.0", + "20.0.1", + "20.0.2", + "20.1", + "20.1.1", + "20.1b1", + "20.2", + "20.2.1", + "20.2.2", + "20.2.3", + "20.2.4", + "20.2b1", + "20.3", + "20.3.1", + "20.3.2", + "20.3.3", + "20.3.4", + "20.3b1", + "21.0", + "21.0.1", + "21.1", + "21.1.1", + "21.1.2", + "21.1.3", + "21.2", + "21.2.1", + "21.2.2", + "21.2.3", + "21.2.4", + "21.3", + "21.3.1", + "22.0", + "22.0.1", + "22.0.2", + "22.0.3", + "22.0.4", + "22.1", + "22.1.1", + "22.1.2", + "22.1b1", + "22.2", + "22.2.1", + "22.2.2", + "22.3", + "22.3.1", + "23.0", + "23.0.1", + "23.1", + "23.1.1", + "23.1.2", + "23.2", + "23.2.1", + "6.0", + "6.0.1", + "6.0.2", + "6.0.3", + "6.0.4", + "6.0.5", + "6.0.6", + "6.0.7", + "6.0.8", + "6.1.0", + "6.1.1", + "7.0.0", + "7.0.1", + "7.0.2", + "7.0.3", + "7.1.0", + "7.1.1", + "7.1.2", + "8.0.0", + "8.0.1", + "8.0.2", + "8.0.3", + "8.1.0", + "8.1.1", + "8.1.2", + "9.0.0", + "9.0.1", + "9.0.2", + "9.0.3" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/pip/PYSEC-2023-228.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/" + }, + { + "type": "FIX", + "url": "https://github.com/pypa/pip/pull/12306" + } + ] } ], "groups": [ { "ids": [ - "GHSA-mq26-g339-26xf" + "GHSA-mq26-g339-26xf", + "PYSEC-2023-228" ] } ] diff --git a/audits/python@3.12-requirements.audit.json b/audits/python@3.12-requirements.audit.json index 08d0a160..ed4c7907 100644 --- a/audits/python@3.12-requirements.audit.json +++ b/audits/python@3.12-requirements.audit.json @@ -215,12 +215,200 @@ "nvd_published_at": null, "severity": "MODERATE" } + }, + { + "modified": "2023-11-03T16:28:41Z", + "published": "2023-10-25T18:17:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-228", + "aliases": [ + "CVE-2023-5752" + ], + "details": "When installing a package from a Mercurial VCS URL (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "pip", + "purl": "pkg:pypi/pip" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "23.3" + } + ] + } + ], + "versions": [ + "0.2", + "0.2.1", + "0.3", + "0.3.1", + "0.4", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.6.3", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "1.0", + "1.0.1", + "1.0.2", + "1.1", + "1.2", + "1.2.1", + "1.3", + "1.3.1", + "1.4", + "1.4.1", + "1.5", + "1.5.1", + "1.5.2", + "1.5.3", + "1.5.4", + "1.5.5", + "1.5.6", + "10.0.0", + "10.0.0b1", + "10.0.0b2", + "10.0.1", + "18.0", + "18.1", + "19.0", + "19.0.1", + "19.0.2", + "19.0.3", + "19.1", + "19.1.1", + "19.2", + "19.2.1", + "19.2.2", + "19.2.3", + "19.3", + "19.3.1", + "20.0", + "20.0.1", + "20.0.2", + "20.1", + "20.1.1", + "20.1b1", + "20.2", + "20.2.1", + "20.2.2", + "20.2.3", + "20.2.4", + "20.2b1", + "20.3", + "20.3.1", + "20.3.2", + "20.3.3", + "20.3.4", + "20.3b1", + "21.0", + "21.0.1", + "21.1", + "21.1.1", + "21.1.2", + "21.1.3", + "21.2", + "21.2.1", + "21.2.2", + "21.2.3", + "21.2.4", + "21.3", + "21.3.1", + "22.0", + "22.0.1", + "22.0.2", + "22.0.3", + "22.0.4", + "22.1", + "22.1.1", + "22.1.2", + "22.1b1", + "22.2", + "22.2.1", + "22.2.2", + "22.3", + "22.3.1", + "23.0", + "23.0.1", + "23.1", + "23.1.1", + "23.1.2", + "23.2", + "23.2.1", + "6.0", + "6.0.1", + "6.0.2", + "6.0.3", + "6.0.4", + "6.0.5", + "6.0.6", + "6.0.7", + "6.0.8", + "6.1.0", + "6.1.1", + "7.0.0", + "7.0.1", + "7.0.2", + "7.0.3", + "7.1.0", + "7.1.1", + "7.1.2", + "8.0.0", + "8.0.1", + "8.0.2", + "8.0.3", + "8.1.0", + "8.1.1", + "8.1.2", + "9.0.0", + "9.0.1", + "9.0.2", + "9.0.3" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/pip/PYSEC-2023-228.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/" + }, + { + "type": "FIX", + "url": "https://github.com/pypa/pip/pull/12306" + } + ] } ], "groups": [ { "ids": [ - "GHSA-mq26-g339-26xf" + "GHSA-mq26-g339-26xf", + "PYSEC-2023-228" ] } ] diff --git a/audits/recon-ng-requirements.audit.json b/audits/recon-ng-requirements.audit.json index ea735ec6..cce63d7d 100644 --- a/audits/recon-ng-requirements.audit.json +++ b/audits/recon-ng-requirements.audit.json @@ -1397,7 +1397,7 @@ } }, { - "modified": "2023-10-22T05:29:54Z", + "modified": "2023-11-04T00:48:52Z", "published": "2023-10-02T23:27:05Z", "schema_version": "1.6.0", "id": "GHSA-v845-jxx5-vc9f", @@ -1578,6 +1578,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/" @@ -1593,7 +1597,7 @@ ], "github_reviewed": true, "github_reviewed_at": "2023-10-02T23:27:05Z", - "nvd_published_at": null, + "nvd_published_at": "2023-10-04T17:15:10Z", "severity": "MODERATE" } }, diff --git a/audits/scoutsuite-requirements.audit.json b/audits/scoutsuite-requirements.audit.json index 7fddcc67..8b63499f 100644 --- a/audits/scoutsuite-requirements.audit.json +++ b/audits/scoutsuite-requirements.audit.json @@ -223,7 +223,7 @@ } }, { - "modified": "2023-10-22T05:29:54Z", + "modified": "2023-11-04T00:48:52Z", "published": "2023-10-02T23:27:05Z", "schema_version": "1.6.0", "id": "GHSA-v845-jxx5-vc9f", @@ -404,6 +404,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/" @@ -419,7 +423,7 @@ ], "github_reviewed": true, "github_reviewed_at": "2023-10-02T23:27:05Z", - "nvd_published_at": null, + "nvd_published_at": "2023-10-04T17:15:10Z", "severity": "MODERATE" } }, diff --git a/audits/scrapy-requirements.audit.json b/audits/scrapy-requirements.audit.json index bcc62107..b3db3ce7 100644 --- a/audits/scrapy-requirements.audit.json +++ b/audits/scrapy-requirements.audit.json @@ -8,7 +8,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-27T21:07:15Z", + "modified": "2023-11-03T16:01:50Z", "published": "2023-10-25T21:15:13Z", "schema_version": "1.6.0", "id": "GHSA-xc8x-vp79-p3wm", @@ -16,7 +16,7 @@ "CVE-2023-46137" ], "summary": "twisted.web has disordered HTTP pipeline response", - "details": "### Summary\nWhen sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order.\n\n### Details\nThere's an example faulty program:\n```python\nfrom twisted.internet import reactor, endpoints\nfrom twisted.web import server\nfrom twisted.web.proxy import ReverseProxyResource\nfrom twisted.web.resource import Resource\n\nclass Second(Resource):\n isLeaf = True\n def render_GET(self, request):\n return b'SECOND\\n'\n\nclass First(Resource):\n isLeaf = True\n def render_GET(self, request):\n def send_response():\n request.write(b'FIRST DELAYED\\n')\n request.finish()\n reactor.callLater(0.5, send_response)\n return server.NOT_DONE_YET\n\nroot = Resource()\n\nroot.putChild(b'second', Second())\nroot.putChild(b'first', First())\n\nendpoint = endpoints.TCP4ServerEndpoint(reactor, 8080)\nendpoint.listen(server.Site(root))\nreactor.run()\n```\n\nWhen two requests for `/first` and `/second` are sent in the same order, the second request will be responded to first.\n```shell\necho -en \"GET /first HTTP/1.1\\r\\nHost: a\\r\\n\\r\\nGET /second HTTP/1.1\\r\\nHost: a\\r\\n\\r\\n\" | nc localhost 8080\n```\n\n### Impact\nIf one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline.", + "details": "Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.\n\n### Details\nThere's an example faulty program:\n```python\nfrom twisted.internet import reactor, endpoints\nfrom twisted.web import server\nfrom twisted.web.proxy import ReverseProxyResource\nfrom twisted.web.resource import Resource\n\nclass Second(Resource):\n isLeaf = True\n def render_GET(self, request):\n return b'SECOND\\n'\n\nclass First(Resource):\n isLeaf = True\n def render_GET(self, request):\n def send_response():\n request.write(b'FIRST DELAYED\\n')\n request.finish()\n reactor.callLater(0.5, send_response)\n return server.NOT_DONE_YET\n\nroot = Resource()\n\nroot.putChild(b'second', Second())\nroot.putChild(b'first', First())\n\nendpoint = endpoints.TCP4ServerEndpoint(reactor, 8080)\nendpoint.listen(server.Site(root))\nreactor.run()\n```\n\nWhen two requests for `/first` and `/second` are sent in the same order, the second request will be responded to first.\n```shell\necho -en \"GET /first HTTP/1.1\\r\\nHost: a\\r\\n\\r\\nGET /second HTTP/1.1\\r\\nHost: a\\r\\n\\r\\n\" | nc localhost 8080\n```", "affected": [ { "package": { @@ -154,6 +154,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46137" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/twisted/PYSEC-2023-224.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/twisted/twisted" @@ -165,15 +169,162 @@ ], "github_reviewed": true, "github_reviewed_at": "2023-10-25T21:15:13Z", - "nvd_published_at": null, + "nvd_published_at": "2023-10-25T21:15:10Z", "severity": "MODERATE" } + }, + { + "modified": "2023-11-02T16:33:16Z", + "published": "2023-10-25T21:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-224", + "aliases": [ + "CVE-2023-46137", + "GHSA-xc8x-vp79-p3wm" + ], + "details": "Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "twisted", + "purl": "pkg:pypi/twisted" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "23.10.0rc1" + } + ] + } + ], + "versions": [ + "1.0.1", + "1.0.3", + "1.0.4", + "1.0.5", + "1.0.6", + "1.0.7", + "1.1.0", + "1.1.1", + "1.2.0", + "10.0.0", + "10.1.0", + "10.2.0", + "11.0.0", + "11.1.0", + "12.0.0", + "12.1.0", + "12.2.0", + "12.3.0", + "13.0.0", + "13.1.0", + "13.2.0", + "14.0.0", + "14.0.1", + "14.0.2", + "15.0.0", + "15.1.0", + "15.2.0", + "15.2.1", + "15.3.0", + "15.4.0", + "15.5.0", + "16.0.0", + "16.1.0", + "16.1.1", + "16.2.0", + "16.3.0", + "16.3.1", + "16.3.2", + "16.4.0", + "16.4.1", + "16.5.0", + "16.5.0rc1", + "16.5.0rc2", + "16.6.0", + "16.6.0rc1", + "16.7.0rc1", + "16.7.0rc2", + "17.1.0", + "17.1.0rc1", + "17.5.0", + "17.9.0", + "17.9.0rc1", + "18.4.0", + "18.4.0rc1", + "18.7.0", + "18.7.0rc1", + "18.7.0rc2", + "18.9.0", + "18.9.0rc1", + "19.10.0", + "19.10.0rc1", + "19.2.0", + "19.2.0rc1", + "19.2.0rc2", + "19.2.1", + "19.7.0", + "19.7.0rc1", + "2.1.0", + "2.4.0", + "2.5.0", + "20.3.0", + "20.3.0rc1", + "21.2.0", + "21.2.0rc1", + "21.7.0", + "21.7.0rc1", + "21.7.0rc2", + "21.7.0rc3", + "22.1.0", + "22.1.0rc1", + "22.2.0", + "22.2.0rc1", + "22.4.0", + "22.4.0rc1", + "22.8.0", + "22.8.0rc1", + "22.8.0", + "22.10.0rc1", + "22.10.0", + "23.8.0rc1", + "23.8.0", + "8.0.0", + "8.0.1", + "8.1.0", + "8.2.0", + "9.0.0" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/twisted/PYSEC-2023-224.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm" + } + ] } ], "groups": [ { "ids": [ - "GHSA-xc8x-vp79-p3wm" + "GHSA-xc8x-vp79-p3wm", + "PYSEC-2023-224" ] } ] diff --git a/audits/sickchill-requirements.audit.json b/audits/sickchill-requirements.audit.json index 60526525..43303ad0 100644 --- a/audits/sickchill-requirements.audit.json +++ b/audits/sickchill-requirements.audit.json @@ -8,7 +8,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-18T15:45:07Z", + "modified": "2023-11-03T21:48:20Z", "published": "2023-04-03T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-c33w-24p9-8m24", @@ -89,6 +89,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK/" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK/" + }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494" diff --git a/audits/snapcraft-requirements.audit.json b/audits/snapcraft-requirements.audit.json index 7fddcc67..8b63499f 100644 --- a/audits/snapcraft-requirements.audit.json +++ b/audits/snapcraft-requirements.audit.json @@ -223,7 +223,7 @@ } }, { - "modified": "2023-10-22T05:29:54Z", + "modified": "2023-11-04T00:48:52Z", "published": "2023-10-02T23:27:05Z", "schema_version": "1.6.0", "id": "GHSA-v845-jxx5-vc9f", @@ -404,6 +404,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/" @@ -419,7 +423,7 @@ ], "github_reviewed": true, "github_reviewed_at": "2023-10-02T23:27:05Z", - "nvd_published_at": null, + "nvd_published_at": "2023-10-04T17:15:10Z", "severity": "MODERATE" } }, diff --git a/audits/terminator-requirements.audit.json b/audits/terminator-requirements.audit.json index 60526525..43303ad0 100644 --- a/audits/terminator-requirements.audit.json +++ b/audits/terminator-requirements.audit.json @@ -8,7 +8,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-18T15:45:07Z", + "modified": "2023-11-03T21:48:20Z", "published": "2023-04-03T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-c33w-24p9-8m24", @@ -89,6 +89,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK/" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK/" + }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494" diff --git a/audits/tern-requirements.audit.json b/audits/tern-requirements.audit.json index dd1327de..6fc6fee9 100644 --- a/audits/tern-requirements.audit.json +++ b/audits/tern-requirements.audit.json @@ -889,7 +889,7 @@ } }, { - "modified": "2023-10-22T05:29:54Z", + "modified": "2023-11-04T00:48:52Z", "published": "2023-10-02T23:27:05Z", "schema_version": "1.6.0", "id": "GHSA-v845-jxx5-vc9f", @@ -1070,6 +1070,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/" @@ -1085,7 +1089,7 @@ ], "github_reviewed": true, "github_reviewed_at": "2023-10-02T23:27:05Z", - "nvd_published_at": null, + "nvd_published_at": "2023-10-04T17:15:10Z", "severity": "MODERATE" } }, diff --git a/audits/theharvester-requirements.audit.json b/audits/theharvester-requirements.audit.json index 7fddcc67..8b63499f 100644 --- a/audits/theharvester-requirements.audit.json +++ b/audits/theharvester-requirements.audit.json @@ -223,7 +223,7 @@ } }, { - "modified": "2023-10-22T05:29:54Z", + "modified": "2023-11-04T00:48:52Z", "published": "2023-10-02T23:27:05Z", "schema_version": "1.6.0", "id": "GHSA-v845-jxx5-vc9f", @@ -404,6 +404,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/" @@ -419,7 +423,7 @@ ], "github_reviewed": true, "github_reviewed_at": "2023-10-02T23:27:05Z", - "nvd_published_at": null, + "nvd_published_at": "2023-10-04T17:15:10Z", "severity": "MODERATE" } }, diff --git a/audits/torchvision-requirements.audit.json b/audits/torchvision-requirements.audit.json index a910a2fd..f0ca96da 100644 --- a/audits/torchvision-requirements.audit.json +++ b/audits/torchvision-requirements.audit.json @@ -541,7 +541,7 @@ } }, { - "modified": "2023-10-22T05:29:54Z", + "modified": "2023-11-04T00:48:52Z", "published": "2023-10-02T23:27:05Z", "schema_version": "1.6.0", "id": "GHSA-v845-jxx5-vc9f", @@ -722,6 +722,10 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/" @@ -737,7 +741,7 @@ ], "github_reviewed": true, "github_reviewed_at": "2023-10-02T23:27:05Z", - "nvd_published_at": null, + "nvd_published_at": "2023-10-04T17:15:10Z", "severity": "MODERATE" } }, diff --git a/audits/twarc-requirements.audit.json b/audits/twarc-requirements.audit.json index 60526525..43303ad0 100644 --- a/audits/twarc-requirements.audit.json +++ b/audits/twarc-requirements.audit.json @@ -8,7 +8,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-18T15:45:07Z", + "modified": "2023-11-03T21:48:20Z", "published": "2023-04-03T06:30:19Z", "schema_version": "1.6.0", "id": "GHSA-c33w-24p9-8m24", @@ -89,6 +89,10 @@ "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK/" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK/" + }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494" diff --git a/requirements/check-jsonschema-requirements.txt b/requirements/check-jsonschema-requirements.txt index daacd7b2..00bce21e 100644 --- a/requirements/check-jsonschema-requirements.txt +++ b/requirements/check-jsonschema-requirements.txt @@ -1,12 +1,12 @@ arrow==1.3.0 attrs==23.1.0 -charset-normalizer==3.3.0 +charset-normalizer==3.3.2 click==8.1.7 fqdn==1.5.1 idna==3.4 isoduration==20.11.0 jsonpointer==2.4 -jsonschema==4.19.1 +jsonschema==4.19.2 jsonschema-specifications==2023.7.1 python-dateutil==2.8.2 referencing==0.30.2 @@ -15,7 +15,7 @@ requests==2.31.0 rfc3339-validator==0.1.4 rfc3987==1.3.8 rpds-py==0.10.6 -ruamel-yaml==0.17.32 +ruamel-yaml==0.17.33 ruamel-yaml-clib==0.2.8 types-python-dateutil==2.8.19.14 uri-template==1.3.0 diff --git a/requirements/git-cola-requirements.txt b/requirements/git-cola-requirements.txt index dd7ef2a5..2701bfef 100644 --- a/requirements/git-cola-requirements.txt +++ b/requirements/git-cola-requirements.txt @@ -1 +1 @@ -QtPy==2.3.1 +qtpy==2.4.1 diff --git a/requirements/poetry-requirements.txt b/requirements/poetry-requirements.txt index 61af4ae0..b0890663 100644 --- a/requirements/poetry-requirements.txt +++ b/requirements/poetry-requirements.txt @@ -1,26 +1,24 @@ -attrs==23.1.0 -build==0.10.0 +build==1.0.3 cachecontrol==0.13.1 -charset-normalizer==3.3.0 -cleo==2.0.1 +charset-normalizer==3.3.2 +cleo==2.1.0 crashtest==0.4.1 dulwich==0.21.6 +fastjsonschema==2.18.1 idna==3.4 installer==0.7.0 -jsonschema==4.17.3 msgpack==1.0.7 pexpect==4.8.0 pkginfo==1.9.6 -poetry-core==1.7.0 -poetry-plugin-export==1.5.0 +poetry-core==1.8.1 +poetry-plugin-export==1.6.0 ptyprocess==0.7.0 pyproject-hooks==1.0.0 -pyrsistent==0.19.3 -rapidfuzz==2.15.2 +rapidfuzz==3.5.2 requests==2.31.0 requests-toolbelt==1.0.0 -shellingham==1.5.3 -tomlkit==0.12.1 +shellingham==1.5.4 +tomlkit==0.12.2 trove-classifiers==2023.10.18 urllib3==2.0.7 xattr==0.10.1