diff --git a/melange.advisories.yaml b/melange.advisories.yaml index ad38ca9324..6f3264baab 100644 --- a/melange.advisories.yaml +++ b/melange.advisories.yaml @@ -4,6 +4,70 @@ package: name: melange advisories: + - id: CGA-3c7v-p5g9-f5wx + aliases: + - GHSA-9763-4f94-gfch + events: + - timestamp: 2024-01-11T07:10:50Z + type: detection + data: + type: scan/v1 + data: + subpackageName: melange + componentID: 36e0a2100d2aed80 + componentName: github.com/cloudflare/circl + componentVersion: v1.3.6 + componentType: go-module + componentLocation: /usr/bin/melange + scanner: grype + - timestamp: 2024-01-23T16:02:30Z + type: fixed + data: + fixed-version: 0.5.6-r0 + + - id: CGA-4px9-54fx-rqrh + aliases: + - CVE-2024-28180 + - GHSA-c5q2-7r4c-mv6g + events: + - timestamp: 2024-03-08T07:20:36Z + type: detection + data: + type: scan/v1 + data: + subpackageName: melange + componentID: 45bf5b2089d13c7e + componentName: gopkg.in/go-jose/go-jose.v2 + componentVersion: v2.6.2 + componentType: go-module + componentLocation: /usr/bin/melange + scanner: grype + - timestamp: 2024-03-11T00:41:07Z + type: fixed + data: + fixed-version: 0.6.9-r2 + + - id: CGA-74rc-w39q-rr93 + aliases: + - CVE-2024-24786 + - GHSA-8r3f-844c-mc37 + events: + - timestamp: 2024-03-16T09:13:25Z + type: fixed + data: + fixed-version: 0.6.9-r3 + + - id: CGA-75hc-jghv-4xq5 + aliases: + - CVE-2023-45284 + - GHSA-rq3x-83w4-p28c + events: + - timestamp: 2023-11-07T19:33:02Z + type: false-positive-determination + data: + type: vulnerable-code-not-included-in-package + note: Only affects Windows + - id: CGA-7qwq-52rr-hmmr aliases: - CVE-2020-8559 @@ -22,57 +86,63 @@ advisories: componentLocation: /usr/bin/melange scanner: grype - - id: CGA-q9f4-6p58-9fhh + - id: CGA-8v58-cxw6-mjqh aliases: - - CVE-2023-28840 - - GHSA-232p-vwff-86mp + - CVE-2024-24787 + - GHSA-5fq7-4mxc-535h events: - - timestamp: 2023-04-05T14:22:34Z + - timestamp: 2024-05-14T09:16:50Z type: fixed data: - fixed-version: 0.3.2-r1 + fixed-version: 0.6.11-r5 - - id: CGA-qpf3-44p9-q9cv + - id: CGA-c3f6-mvqp-x58g aliases: - - CVE-2023-28841 - - GHSA-33pg-m6jh-5237 + - CVE-2024-36127 + - GHSA-v6mg-7f7p-qmqp events: - - timestamp: 2023-04-05T14:22:34Z - type: fixed + - timestamp: 2024-06-05T08:09:10Z + type: detection data: - fixed-version: 0.3.2-r1 + type: scan/v1 + data: + subpackageName: melange + componentID: 28e69d70d8d2ebaa + componentName: chainguard.dev/apko + componentVersion: v0.14.3 + componentType: go-module + componentLocation: /usr/bin/melange + scanner: grype - - id: CGA-m53q-whq4-59ph + - id: CGA-cr5m-fvwp-787c aliases: - - CVE-2023-28842 - - GHSA-6wrf-mxfj-pf5p + - CVE-2023-46402 + - GHSA-3f2q-6294-fmq5 events: - - timestamp: 2023-04-05T14:22:34Z + - timestamp: 2023-12-03T14:31:42Z type: fixed data: - fixed-version: 0.3.2-r1 + fixed-version: 0.5.3-r1 - - id: CGA-wrj3-x9xp-36gp + - id: CGA-cwxj-fc4r-463r aliases: - - CVE-2023-45283 - - GHSA-vvjp-q62m-2vph + - CVE-2024-24788 + - GHSA-2jwv-jmq4-4j3r events: - - timestamp: 2023-11-07T19:33:00Z - type: false-positive-determination + - timestamp: 2024-05-14T09:16:52Z + type: fixed data: - type: vulnerable-code-not-included-in-package - note: Only affects Windows + fixed-version: 0.6.11-r5 - - id: CGA-75hc-jghv-4xq5 + - id: CGA-f4xq-ppv3-28pj aliases: - - CVE-2023-45284 - - GHSA-rq3x-83w4-p28c + - CVE-2023-46737 + - GHSA-vfp6-jrw2-99g9 events: - - timestamp: 2023-11-07T19:33:02Z - type: false-positive-determination + - timestamp: 2023-11-16T12:21:01Z + type: fixed data: - type: vulnerable-code-not-included-in-package - note: Only affects Windows + fixed-version: 0.5.3-r0 - id: CGA-gv78-5qhq-jqfv aliases: @@ -96,87 +166,74 @@ advisories: data: fixed-version: 0.6.11-r3 - - id: CGA-cr5m-fvwp-787c + - id: CGA-m53q-whq4-59ph aliases: - - CVE-2023-46402 - - GHSA-3f2q-6294-fmq5 + - CVE-2023-28842 + - GHSA-6wrf-mxfj-pf5p events: - - timestamp: 2023-12-03T14:31:42Z + - timestamp: 2023-04-05T14:22:34Z type: fixed data: - fixed-version: 0.5.3-r1 + fixed-version: 0.3.2-r1 - - id: CGA-f4xq-ppv3-28pj + - id: CGA-m64h-c87c-95j5 aliases: - - CVE-2023-46737 - - GHSA-vfp6-jrw2-99g9 + - GHSA-7ww5-4wqc-m92c events: - - timestamp: 2023-11-16T12:21:01Z + - timestamp: 2023-12-21T10:58:30Z type: fixed data: - fixed-version: 0.5.3-r0 + fixed-version: 0.5.5-r0 - - id: CGA-w69m-j62x-gggr + - id: CGA-m8vc-xmrr-957v aliases: - - CVE-2023-48795 - - GHSA-45x7-px36-x8w8 + - CVE-2024-29902 + - GHSA-88jx-383q-w4qc events: - - timestamp: 2023-12-21T10:58:19Z + - timestamp: 2024-04-12T15:05:46Z type: fixed data: - fixed-version: 0.5.5-r0 + fixed-version: 0.6.11-r1 - - id: CGA-74rc-w39q-rr93 + - id: CGA-mh9r-cgx8-q32c aliases: - - CVE-2024-24786 - - GHSA-8r3f-844c-mc37 + - GHSA-jq35-85cj-fj4p events: - - timestamp: 2024-03-16T09:13:25Z - type: fixed + - timestamp: 2023-10-31T20:03:58Z + type: false-positive-determination data: - fixed-version: 0.6.9-r3 + type: vulnerable-code-not-included-in-package + note: This vulnerability is in the container runtime itself, not clients of the container runtime. - - id: CGA-8v58-cxw6-mjqh + - id: CGA-p8hw-fxhx-vvqj aliases: - - CVE-2024-24787 - - GHSA-5fq7-4mxc-535h + - CVE-2024-29903 + - GHSA-95pr-fxf5-86gv events: - - timestamp: 2024-05-14T09:16:50Z + - timestamp: 2024-04-12T15:05:48Z type: fixed data: - fixed-version: 0.6.11-r5 + fixed-version: 0.6.11-r1 - - id: CGA-cwxj-fc4r-463r + - id: CGA-q9f4-6p58-9fhh aliases: - - CVE-2024-24788 - - GHSA-2jwv-jmq4-4j3r + - CVE-2023-28840 + - GHSA-232p-vwff-86mp events: - - timestamp: 2024-05-14T09:16:52Z + - timestamp: 2023-04-05T14:22:34Z type: fixed data: - fixed-version: 0.6.11-r5 + fixed-version: 0.3.2-r1 - - id: CGA-4px9-54fx-rqrh + - id: CGA-qpf3-44p9-q9cv aliases: - - CVE-2024-28180 - - GHSA-c5q2-7r4c-mv6g + - CVE-2023-28841 + - GHSA-33pg-m6jh-5237 events: - - timestamp: 2024-03-08T07:20:36Z - type: detection - data: - type: scan/v1 - data: - subpackageName: melange - componentID: 45bf5b2089d13c7e - componentName: gopkg.in/go-jose/go-jose.v2 - componentVersion: v2.6.2 - componentType: go-module - componentLocation: /usr/bin/melange - scanner: grype - - timestamp: 2024-03-11T00:41:07Z + - timestamp: 2023-04-05T14:22:34Z type: fixed data: - fixed-version: 0.6.9-r2 + fixed-version: 0.3.2-r1 - id: CGA-v6wf-7rw3-7hh8 aliases: @@ -188,25 +245,26 @@ advisories: data: fixed-version: 0.6.9-r4 - - id: CGA-m8vc-xmrr-957v + - id: CGA-w69m-j62x-gggr aliases: - - CVE-2024-29902 - - GHSA-88jx-383q-w4qc + - CVE-2023-48795 + - GHSA-45x7-px36-x8w8 events: - - timestamp: 2024-04-12T15:05:46Z + - timestamp: 2023-12-21T10:58:19Z type: fixed data: - fixed-version: 0.6.11-r1 + fixed-version: 0.5.5-r0 - - id: CGA-p8hw-fxhx-vvqj + - id: CGA-wrj3-x9xp-36gp aliases: - - CVE-2024-29903 - - GHSA-95pr-fxf5-86gv + - CVE-2023-45283 + - GHSA-vvjp-q62m-2vph events: - - timestamp: 2024-04-12T15:05:48Z - type: fixed + - timestamp: 2023-11-07T19:33:00Z + type: false-positive-determination data: - fixed-version: 0.6.11-r1 + type: vulnerable-code-not-included-in-package + note: Only affects Windows - id: CGA-wwg2-q2wv-h5v7 aliases: @@ -229,43 +287,3 @@ advisories: type: fixed data: fixed-version: 0.6.11-r3 - - - id: CGA-m64h-c87c-95j5 - aliases: - - GHSA-7ww5-4wqc-m92c - events: - - timestamp: 2023-12-21T10:58:30Z - type: fixed - data: - fixed-version: 0.5.5-r0 - - - id: CGA-3c7v-p5g9-f5wx - aliases: - - GHSA-9763-4f94-gfch - events: - - timestamp: 2024-01-11T07:10:50Z - type: detection - data: - type: scan/v1 - data: - subpackageName: melange - componentID: 36e0a2100d2aed80 - componentName: github.com/cloudflare/circl - componentVersion: v1.3.6 - componentType: go-module - componentLocation: /usr/bin/melange - scanner: grype - - timestamp: 2024-01-23T16:02:30Z - type: fixed - data: - fixed-version: 0.5.6-r0 - - - id: CGA-mh9r-cgx8-q32c - aliases: - - GHSA-jq35-85cj-fj4p - events: - - timestamp: 2023-10-31T20:03:58Z - type: false-positive-determination - data: - type: vulnerable-code-not-included-in-package - note: This vulnerability is in the container runtime itself, not clients of the container runtime.