Latest data: Tue Oct 3 08:04:40 UTC 2023

Homebrew · Oct 3, 2023 · f8b936c · f8b936c
1 parent 4541bd1
commit f8b936c
Show file tree

Hide file tree

Showing 162 changed files with 32,115 additions and 20 deletions.
diff --git a/audits/airshare-requirements.audit.json b/audits/airshare-requirements.audit.json
@@ -0,0 +1,210 @@
+[
+  {
+    "package": {
+      "name": "urllib3",
+      "version": "2.0.4",
+      "ecosystem": "PyPI",
+      "commit": ""
+    },
+    "vulnerabilities": [
+      {
+        "modified": "2023-10-02T23:30:48Z",
+        "published": "2023-10-02T23:27:05Z",
+        "schema_version": "1.4.0",
+        "id": "GHSA-v845-jxx5-vc9f",
+        "aliases": [
+          "CVE-2023-43804"
+        ],
+        "summary": "`Cookie` HTTP header isn't stripped on cross-origin redirects",
+        "details": "urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly.\n\nUsers **must** handle redirects themselves instead of relying on urllib3's automatic redirects to achieve safe processing of the `Cookie` header, thus we decided to strip the header by default in order to further protect users who aren't using the correct approach.\n\n## Affected usages\n\nWe believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:\n\n* Using an affected version of urllib3 (patched in v1.26.17 and v2.0.6)\n* Using the `Cookie` header on requests, which is mostly typical for impersonating a browser.\n* Not disabling HTTP redirects\n* Either not using HTTPS or for the origin server to redirect to a malicious origin.\n\n## Remediation\n\n* Upgrading to at least urllib3 v1.26.17 or v2.0.6\n* Disabling HTTP redirects using `redirects=False` when sending requests.\n* Not using the `Cookie` header.",
+        "affected": [
+          {
+            "package": {
+              "ecosystem": "PyPI",
+              "name": "urllib3",
+              "purl": "pkg:pypi/urllib3"
+            },
+            "ranges": [
+              {
+                "type": "ECOSYSTEM",
+                "events": [
+                  {
+                    "introduced": "2.0.0"
+                  },
+                  {
+                    "fixed": "2.0.6"
+                  }
+                ]
+              }
+            ],
+            "versions": [
+              "2.0.0",
+              "2.0.1",
+              "2.0.2",
+              "2.0.3",
+              "2.0.4",
+              "2.0.5"
+            ],
+            "database_specific": {
+              "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-v845-jxx5-vc9f/GHSA-v845-jxx5-vc9f.json"
+            },
+            "ecosystem_specific": {
+              "affected_functions": [
+                ""
+              ]
+            }
+          },
+          {
+            "package": {
+              "ecosystem": "PyPI",
+              "name": "urllib3",
+              "purl": "pkg:pypi/urllib3"
+            },
+            "ranges": [
+              {
+                "type": "ECOSYSTEM",
+                "events": [
+                  {
+                    "introduced": "0"
+                  },
+                  {
+                    "fixed": "1.26.17"
+                  }
+                ]
+              }
+            ],
+            "versions": [
+              "0.2",
+              "0.3",
+              "0.3.1",
+              "0.4.0",
+              "0.4.1",
+              "1.0",
+              "1.0.1",
+              "1.0.2",
+              "1.1",
+              "1.10",
+              "1.10.1",
+              "1.10.2",
+              "1.10.3",
+              "1.10.4",
+              "1.11",
+              "1.12",
+              "1.13",
+              "1.13.1",
+              "1.14",
+              "1.15",
+              "1.15.1",
+              "1.16",
+              "1.17",
+              "1.18",
+              "1.18.1",
+              "1.19",
+              "1.19.1",
+              "1.2",
+              "1.2.1",
+              "1.2.2",
+              "1.20",
+              "1.21",
+              "1.21.1",
+              "1.22",
+              "1.23",
+              "1.24",
+              "1.24.1",
+              "1.24.2",
+              "1.24.3",
+              "1.25",
+              "1.25.1",
+              "1.25.10",
+              "1.25.11",
+              "1.25.2",
+              "1.25.3",
+              "1.25.4",
+              "1.25.5",
+              "1.25.6",
+              "1.25.7",
+              "1.25.8",
+              "1.25.9",
+              "1.26.0",
+              "1.26.1",
+              "1.26.10",
+              "1.26.11",
+              "1.26.12",
+              "1.26.13",
+              "1.26.14",
+              "1.26.15",
+              "1.26.16",
+              "1.26.2",
+              "1.26.3",
+              "1.26.4",
+              "1.26.5",
+              "1.26.6",
+              "1.26.7",
+              "1.26.8",
+              "1.26.9",
+              "1.3",
+              "1.4",
+              "1.5",
+              "1.6",
+              "1.7",
+              "1.7.1",
+              "1.8",
+              "1.8.2",
+              "1.8.3",
+              "1.9",
+              "1.9.1"
+            ],
+            "database_specific": {
+              "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-v845-jxx5-vc9f/GHSA-v845-jxx5-vc9f.json"
+            },
+            "ecosystem_specific": {
+              "affected_functions": [
+                ""
+              ]
+            }
+          }
+        ],
+        "severity": [
+          {
+            "type": "CVSS_V3",
+            "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"
+          }
+        ],
+        "references": [
+          {
+            "type": "WEB",
+            "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"
+          },
+          {
+            "type": "WEB",
+            "url": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb"
+          },
+          {
+            "type": "WEB",
+            "url": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d"
+          },
+          {
+            "type": "PACKAGE",
+            "url": "https://github.com/urllib3/urllib3"
+          }
+        ],
+        "database_specific": {
+          "cwe_ids": [
+            "CWE-200"
+          ],
+          "github_reviewed": true,
+          "github_reviewed_at": "2023-10-02T23:27:05Z",
+          "nvd_published_at": null,
+          "severity": "MODERATE"
+        }
+      }
+    ],
+    "groups": [
+      {
+        "ids": [
+          "GHSA-v845-jxx5-vc9f"
+        ]
+      }
+    ]
+  }
+]