forked from wolfi-dev/advisories
-
Notifications
You must be signed in to change notification settings - Fork 0
/
atuin.advisories.yaml
136 lines (129 loc) · 4.38 KB
/
atuin.advisories.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
schema-version: 2.0.2
package:
name: atuin
advisories:
- id: CGA-5jcw-3qj2-wggh
aliases:
- GHSA-4grx-2x9w-596c
events:
- timestamp: 2024-07-29T10:01:06Z
type: detection
data:
type: scan/v1
data:
subpackageName: atuin
componentID: 0da2a799decd57a4
componentName: rsa
componentVersion: 0.9.6
componentType: rust-crate
componentLocation: /usr/bin/atuin
scanner: grype
- timestamp: 2024-10-06T15:01:37Z
type: pending-upstream-fix
data:
note: |
This vulnerability is related to the 'rsa' dependency, of which atuin is already installing the most recent version (0.9.6).
There is no release of 'rsa' today with a fix for this vulnerability. The RSA GitHub project is working on pre-releases, so a fix may be expected soon.
Waiting for upstream (RSA) to cut a new release with a fix, and for atuin to consume.
- id: CGA-6v33-3rmm-7hcq
aliases:
- CVE-2024-47609
- GHSA-4jwc-w2hc-78qv
events:
- timestamp: 2024-10-02T07:17:35Z
type: detection
data:
type: scan/v1
data:
subpackageName: atuin
componentID: 0246c88136ff2b67
componentName: tonic
componentVersion: 0.11.0
componentType: rust-crate
componentLocation: /usr/bin/atuin
scanner: grype
- id: CGA-8g34-2jr4-xwr2
aliases:
- CVE-2023-49092
- GHSA-c38w-74pg-36hr
events:
- timestamp: 2024-07-29T10:01:06Z
type: detection
data:
type: scan/v1
data:
subpackageName: atuin
componentID: 0da2a799decd57a4
componentName: rsa
componentVersion: 0.9.6
componentType: rust-crate
componentLocation: /usr/bin/atuin
scanner: grype
- timestamp: 2024-10-06T15:02:12Z
type: pending-upstream-fix
data:
note: |
This vulnerability is related to the 'rsa' dependency, of which atuin is already installing the most recent version (0.9.6).
There is no release of 'rsa' today with a fix for this vulnerability. The RSA GitHub project repo is working on pre-releases, so a fix may be expected soon.
Waiting for upstream (RSA) to cut a new release with a fix, and for atuin to consume.
- id: CGA-pmwr-r5vj-67r4
aliases:
- GHSA-x4gp-pqpj-f43q
events:
- timestamp: 2024-07-29T10:01:07Z
type: detection
data:
type: scan/v1
data:
subpackageName: atuin
componentID: 420ee360735271e3
componentName: curve25519-dalek
componentVersion: 4.1.2
componentType: rust-crate
componentLocation: /usr/bin/atuin
scanner: grype
- timestamp: 2024-10-08T07:03:48Z
type: fixed
data:
fixed-version: 18.3.0-r2
- id: CGA-rcq6-qc98-r4jw
aliases:
- GHSA-xmrp-424f-vfpx
events:
- timestamp: 2024-08-20T07:33:30Z
type: detection
data:
type: scan/v1
data:
subpackageName: atuin
componentID: 2391c307274b94c8
componentName: sqlx
componentVersion: 0.7.4
componentType: rust-crate
componentLocation: /usr/bin/atuin
scanner: grype
- timestamp: 2024-10-06T15:59:01Z
type: pending-upstream-fix
data:
note: |
Remediating this vulnerability requires upgrading: sqlx to version 0.8.1 or higher.
However, attempting to upgrade this results in build errors, as other dependencies expect different versions of sqlx.
The main branch has upgraded to sqlx v0.8.1, however this has not made it into a release yet.
Pending fix from upstream in the next release.
- id: CGA-xr7j-xw6p-fpq8
aliases:
- CVE-2024-12224
- GHSA-h97m-ww89-6jmq
events:
- timestamp: 2024-12-10T08:18:37Z
type: detection
data:
type: scan/v1
data:
subpackageName: atuin
componentID: befd4dea57deee0f
componentName: idna
componentVersion: 0.5.0
componentType: rust-crate
componentLocation: /usr/bin/atuin
scanner: grype