Add initial content
TristanCacqueray opened this issue ยท 5 comments
TristanCacqueray commented
The goal is to add some real advisory for known or past issue.
- Follow the documentation and propose new advisory.
- Update documentation if necessary.
frasertweedale commented
Search of NVD/mitre turned up the following CVEs:
-
https://nvd.nist.gov/vuln/detail/CVE-2022-31053 biscuit-haskell improper sig validation(#47) -
https://nvd.nist.gov/vuln/detail/CVE-2013-1436 xmonad-contrib code injection(#54) -
https://nvd.nist.gov/vuln/detail/CVE-2021-30502 vscode-ghc-simple RCE(NOT A HASKELL LIB/PROGRAM) -
https://nvd.nist.gov/vuln/detail/CVE-2021-4249 xml-conduit entity expansion DoS(#92) -
https://nvd.nist.gov/vuln/detail/CVE-2013-0243 hs-tls improper certificate validation(#93) -
https://nvd.nist.gov/vuln/detail/CVE-2022-3433 aeson hash flooding(#35) -
3 git-annex CVEs: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=git-annex(#107) -
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46888 hledger xss(#99)
Reviewing those and reflecting them into the advisory-db would be a good start.
frasertweedale commented
@david-christiansen has a known TOML lib issue (already fixed) that he will submit next week. (#56)
frasertweedale commented
Re https://nvd.nist.gov/vuln/detail/CVE-2021-30502 vscode-ghc-simple RCE - it is actually not a Haskell program.
- its page on VS Marketplace: https://marketplace.visualstudio.com/items?itemName=dramforever.vscode-ghc-simple
- github repo: https://github.com/dramforever/vscode-ghc-simple/tree/master
- it has a GHSA: GHSA-3qwv-3h88-g4p5
And it has been fixed in the latest version. I don't think there's anything further the SRT has to do for this issue.
mihaimaruseac commented
+1, I don't think we have to do anything more for this one
frasertweedale commented
I think we're done here :) All the known historical advisories have been added to the DB.