This vulnerability report is generated for Ghaf target github:tiiuae/ghaf?ref=ghaf-23.12#packages.x86_64-linux.lenovo-x1-carbon-gen11-release revision https://github.com/tiiuae/ghaf/commit/f35b7dd15d73c9ae6ccb934d0e603c85904a4732. The tables on this page include known vulnerabilities impacting buildtime or runtime dependencies of the given target.
This report is automatically generated as specified on the Vulnerability Scan GitHub action workflow. It uses the tooling from sbomnix repository, such as vulnxscan, as well as the manual analysis results maintained in the manual_analysis.csv file.
See section Theory of Operation in the ghafscan README.md for details of how the data on this report is generated.
- Vulnerabilities Fixed in Ghaf nixpkgs Upstream
- Vulnerabilities Fixed in nix-unstable
- New Vulnerabilities Since Last Run
- All Vulnerabilities Impacting Ghaf
- Whitelisted Vulnerabilities
Following table lists vulnerabilities that have been fixed in the nixpkgs channel the Ghaf target is currently pinned to, but the fixes have not been included in Ghaf.
Update the target Ghaf flake.lock file to mitigate the following issues:
| vuln_id | package | severity | version_local | nix_unstable | upstream | comment |
|---|---|---|---|---|---|---|
| CVE-2023-47100 | perl | 9.8 | 5.38.0-env | 5.38.2 | 5.38.2 | [PR, PR] |
| CVE-2023-47100 | perl | 9.8 | 5.38.0 | 5.38.2 | 5.38.2 | [PR, PR] |
| CVE-2023-6816 | xorg-server | 9.8 | 21.1.9 | 21.1.13 | 21.1.13 | |
| CVE-2023-5841 | openexr | 9.1 | 3.2.1 | 3.2.4 | 3.2.4 | [PR] |
| CVE-2023-5841 | openexr | 9.1 | 2.5.8 | 3.2.4 | 3.2.4 | [PR] |
| CVE-2023-45235 | edk2 | 8.8 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2023-45234 | edk2 | 8.8 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2023-45230 | edk2 | 8.8 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2023-43887 | libde265 | 8.1 | 1.0.12 | 1.0.15 | 1.0.15 | [PR, PR, PR, PR, PR] |
| CVE-2024-0985 | postgresql | 8 | 15.5 | 16.2 | 16.2 | [PR] |
| CVE-2024-31083 | xorg-server | 7.8 | 21.1.9 | 21.1.13 | 21.1.13 | [PR] |
| CVE-2024-21886 | xorg-server | 7.8 | 21.1.9 | 21.1.13 | 21.1.13 | |
| CVE-2024-21885 | xorg-server | 7.8 | 21.1.9 | 21.1.13 | 21.1.13 | |
| CVE-2024-0409 | xorg-server | 7.8 | 21.1.9 | 21.1.13 | 21.1.13 | |
| CVE-2024-0229 | xorg-server | 7.8 | 21.1.9 | 21.1.13 | 21.1.13 | |
| CVE-2022-36765 | edk2 | 7.8 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2022-36764 | edk2 | 7.8 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2022-36763 | edk2 | 7.8 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2024-25062 | libxml2 | 7.5 | 2.11.5 | 2.12.6 | 2.12.6 | [PR, PR, PR] |
| CVE-2024-0567 | gnutls | 7.5 | 3.8.2 | 3.8.4 | 3.8.5 | [PR, PR, PR] |
| CVE-2024-0553 | gnutls | 7.5 | 3.8.2 | 3.8.4 | 3.8.5 | [PR, PR, PR] |
| CVE-2023-50387 | unbound | 7.5 | 1.18.0 | 1.19.3 | 1.19.3 | [PR, PR, PR, PR, PR] |
| CVE-2023-50387 | dnsmasq | 7.5 | 2.89 | 2.90 | 2.90 | [PR, PR, PR, PR, PR] |
| CVE-2023-50387 | bind | 7.5 | 9.18.19 | 9.18.26 | 9.18.26 | [PR, PR, PR, PR, PR] |
| CVE-2023-45237 | edk2 | 7.5 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2023-45236 | edk2 | 7.5 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2023-45233 | edk2 | 7.5 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2023-45232 | edk2 | 7.5 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2023-28450 | dnsmasq | 7.5 | 2.89 | 2.90 | 2.90 | [PR, PR] |
| CVE-2023-5679 | bind | 7.5 | 9.18.19 | 9.18.26 | 9.18.26 | [PR] |
| CVE-2023-5517 | bind | 7.5 | 9.18.19 | 9.18.26 | 9.18.26 | [PR] |
| CVE-2023-4408 | bind | 7.5 | 9.18.19 | 9.18.26 | 9.18.26 | [PR] |
| CVE-2024-31082 | xorg-server | 7.3 | 21.1.9 | 21.1.13 | 21.1.13 | |
| CVE-2024-31081 | xorg-server | 7.3 | 21.1.9 | 21.1.13 | 21.1.13 | |
| CVE-2024-31080 | xorg-server | 7.3 | 21.1.9 | 21.1.13 | 21.1.13 | |
| CVE-2024-24806 | libuv | 7.3 | 1.46.0 | 1.48.0 | 1.48.0 | [PR] |
| CVE-2023-48161 | giflib | 7.1 | 5.2.1 | 5.2.2 | 5.2.2 | [PR, PR] |
| CVE-2023-51385 | openssh | 6.5 | 9.5p1 | 9.7p1 | 9.7p1 | [PR, PR, PR, PR] |
| CVE-2023-47471 | libde265 | 6.5 | 1.0.12 | 1.0.15 | 1.0.15 | [PR, PR, PR] |
| CVE-2023-45322 | libxml2 | 6.5 | 2.11.5 | 2.12.6 | 2.12.6 | [PR, PR] |
| CVE-2023-45231 | edk2 | 6.5 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2023-45229 | edk2 | 6.5 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2023-6129 | openssl | 6.5 | 3.0.12 | 3.2.0 | 3.2.0 | [PR, PR] |
| CVE-2024-1580 | dav1d | 5.9 | 1.2.1 | 1.4.1 | 1.4.1 | [PR, PR, PR, PR] |
| CVE-2023-48795 | openssh | 5.9 | 9.5p1 | 9.7p1 | 9.7p1 | [PR, PR, PR, PR, PR] |
| CVE-2023-48795 | libssh2 | 5.9 | 1.11.0 | 1.11.0 | 1.11.0 | [PR, PR, PR, PR, PR] |
| CVE-2023-48795 | libssh | 5.9 | 0.10.5 | 0.10.6 | 0.10.6 | [PR, PR, PR, PR, PR] |
| CVE-2024-0727 | openssl | 5.5 | 3.0.12 | 3.2.0 | 3.2.0 | [PR, PR] |
| CVE-2024-0684 | coreutils | 5.5 | 9.3 | 9.5 | 9.5 | [PR, PR] |
| CVE-2024-0408 | xorg-server | 5.5 | 21.1.9 | 21.1.13 | 21.1.13 | |
| CVE-2023-51384 | openssh | 5.5 | 9.5p1 | 9.7p1 | 9.7p1 | [PR, PR, PR, PR] |
| CVE-2023-50268 | jq | 5.5 | 1.7 | 1.7.1 | 1.7.1 | |
| CVE-2023-50246 | jq | 5.5 | 1.7 | 1.7.1 | 1.7.1 | |
| CVE-2023-46246 | vim | 5.5 | 9.0.2048 | 9.1.0200 | 9.1.0393 | [PR, PR] |
| CVE-2023-39742 | giflib | 5.5 | 5.2.1 | 5.2.2 | 5.2.2 | [PR, PR] |
| CVE-2023-38473 | avahi | 5.5 | 0.8 | 0.8 | 0.8 | [PR, PR, PR] |
| CVE-2023-38472 | avahi | 5.5 | 0.8 | 0.8 | 0.8 | [PR, PR, PR] |
| CVE-2023-38471 | avahi | 5.5 | 0.8 | 0.8 | 0.8 | [PR, PR, PR] |
| CVE-2023-38470 | avahi | 5.5 | 0.8 | 0.8 | 0.8 | [PR, PR, PR] |
| CVE-2023-38469 | avahi | 5.5 | 0.8 | 0.8 | 0.8 | [PR, PR, PR] |
| CVE-2024-28834 | gnutls | 5.3 | 3.8.2 | 3.8.4 | 3.8.5 | [PR] |
| CVE-2023-6918 | libssh | 5.3 | 0.10.5 | 0.10.6 | 0.10.6 | [PR, PR, PR] |
| CVE-2023-5680 | bind | 5.3 | 9.18.19 | 9.18.26 | 9.18.26 | |
| CVE-2023-5678 | openssl | 5.3 | 3.0.12 | 3.2.0 | 3.2.0 | [PR, PR] |
| CVE-2024-28835 | gnutls | 5 | 3.8.2 | 3.8.4 | 3.8.5 | [PR] |
| CVE-2023-6004 | libssh | 4.8 | 0.10.5 | 0.10.6 | 0.10.6 | [PR, PR, PR] |
| CVE-2024-25629 | c-ares | 4.4 | 1.19.1 | 1.27.0 | 1.28.1 | [PR, PR] |
| CVE-2023-48237 | vim | 4.3 | 9.0.2048 | 9.1.0200 | 9.1.0393 | [PR, PR] |
| CVE-2023-48236 | vim | 4.3 | 9.0.2048 | 9.1.0200 | 9.1.0393 | [PR, PR] |
| CVE-2023-48235 | vim | 4.3 | 9.0.2048 | 9.1.0200 | 9.1.0393 | [PR, PR] |
| CVE-2023-48234 | vim | 4.3 | 9.0.2048 | 9.1.0200 | 9.1.0393 | [PR, PR] |
| CVE-2023-48233 | vim | 4.3 | 9.0.2048 | 9.1.0200 | 9.1.0393 | [PR, PR] |
| CVE-2023-48232 | vim | 4.3 | 9.0.2048 | 9.1.0200 | 9.1.0393 | [PR, PR] |
| CVE-2023-48231 | vim | 4.3 | 9.0.2048 | 9.1.0200 | 9.1.0393 | [PR, PR] |
Following table lists vulnerabilities that have been fixed in nixpkgs nix-unstable channel, but the fixes have not been backported to the channel the Ghaf target is currently pinned to.
Following issues potentially require backporting the fix from nixpkgs-unstable to the correct nixpkgs release branch.
Consider whitelisting possible false positives based on manual analysis, or - if determined valid - help nixpkgs community backport the fix to the correct nixpkgs branch:
| vuln_id | package | severity | version_local | nix_unstable | upstream | comment |
|---|---|---|---|---|---|---|
| CVE-2024-22862 | ffmpeg | 9.8 | 6.0 | 7.0 | 7.0 | [PR] |
| CVE-2024-22862 | ffmpeg | 9.8 | 4.4.4 | |||
| CVE-2024-22860 | ffmpeg | 9.8 | 6.0 | 7.0 | 7.0 | [PR] |
| CVE-2024-22860 | ffmpeg | 9.8 | 4.4.4 | |||
| CVE-2023-45853 | zlib | 9.8 | 1.3 | 1.3.1 | 1.3.1 | [PR, PR, PR] |
| CVE-2023-41913 | strongswan | 9.8 | 5.9.11 | 5.9.14 | 5.9.14 | [PR] |
| CVE-2021-28794 | ShellCheck | 9.8 | 0.9.0-r1.cabal | 0.10.0 | 0.10.0 | |
| CVE-2021-28794 | ShellCheck | 9.8 | 0.9.0 | 0.10.0 | 0.10.0 | |
| CVE-2017-5511 | imagemagick | 9.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-10145 | imagemagick | 9.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-10144 | imagemagick | 9.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-5118 | imagemagick | 9.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | [PR] |
| CVE-2014-9852 | imagemagick | 9.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9826 | imagemagick | 9.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2023-5841 | openexr | 9.1 | 2.5.8 | 3.2.4 | 3.2.4 | [PR] |
| CVE-2014-9831 | imagemagick | 8.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9830 | imagemagick | 8.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9828 | imagemagick | 8.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9827 | imagemagick | 8.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2024-22667 | vim | 7.8 | 9.0.2116 | 9.1.0200 | 9.1.0393 | [PR, PR] |
| CVE-2023-47470 | ffmpeg | 7.8 | 6.0 | 7.0 | 7.0 | [PR] |
| CVE-2023-47470 | ffmpeg | 7.8 | 4.4.4 | |||
| CVE-2023-46045 | graphviz | 7.8 | 9.0.0 | 10.0.1 | 11.0.0 | [PR] |
| CVE-2023-6246 | glibc | 7.8 | 2.38-44-source-u | [PR, PR, PR, PR] | ||
| CVE-2023-6246 | glibc | 7.8 | 2.38-44 | [PR, PR, PR, PR] | ||
| CVE-2023-4911 | glibc | 7.8 | 2.38-44-source-u | [PR, PR, PR] | ||
| CVE-2023-4911 | glibc | 7.8 | 2.38-44 | [PR, PR, PR] | ||
| CVE-2017-5510 | imagemagick | 7.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2017-5509 | imagemagick | 7.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2017-5506 | imagemagick | 7.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9825 | imagemagick | 7.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9824 | imagemagick | 7.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9823 | imagemagick | 7.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9822 | imagemagick | 7.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9821 | imagemagick | 7.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9820 | imagemagick | 7.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9819 | imagemagick | 7.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9817 | imagemagick | 7.8 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2024-22861 | ffmpeg | 7.5 | 6.0 | 7.0 | 7.0 | [PR] |
| CVE-2024-22861 | ffmpeg | 7.5 | 4.4.4 | |||
| CVE-2023-6779 | glibc | 7.5 | 2.38-44-source-u | [PR, PR] | ||
| CVE-2023-6779 | glibc | 7.5 | 2.38-44 | [PR, PR] | ||
| CVE-2023-5156 | glibc | 7.5 | 2.38-44-source-u | |||
| CVE-2023-5156 | glibc | 7.5 | 2.38-44 | |||
| CVE-2016-10146 | imagemagick | 7.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9854 | imagemagick | 7.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9848 | imagemagick | 7.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9804 | imagemagick | 7.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2023-5088 | qemu | 7.0 | 8.1.5 | 8.2.3 | 9.0.0 | [PR] |
| CVE-2023-46218 | curl | 6.5 | 8.4.0 | 8.7.1 | 8.7.1_7 | [PR] |
| CVE-2023-38858 | faad2 | 6.5 | 2.10.1 | 2.11.1 | 2.11.1 | [PR] |
| CVE-2023-4527 | glibc | 6.5 | 2.38-44-source-u | [PR] | ||
| CVE-2023-4527 | glibc | 6.5 | 2.38-44 | [PR] | ||
| CVE-2023-3019 | qemu | 6.5 | 8.1.5 | 8.2.3 | 9.0.0 | Revisit when fixed upstream: link. [PR] |
| CVE-2020-22628 | libraw | 6.5 | 0.21.1 | 0.21.2 | 0.21.2 | |
| CVE-2016-7538 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7537 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7536 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7535 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7534 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7533 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7532 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7531 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7530 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7529 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7528 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7527 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7526 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7525 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7524 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7523 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7522 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7521 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7520 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7519 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7518 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7517 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7516 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7515 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7514 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-7513 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9907 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9829 | imagemagick | 6.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2024-22365 | linux-pam | 5.5 | 1.5.2 | [PR] | ||
| CVE-2023-46407 | ffmpeg | 5.5 | 6.0 | 7.0 | 7.0 | [PR] |
| CVE-2023-46407 | ffmpeg | 5.5 | 4.4.4 | |||
| CVE-2023-38857 | faad2 | 5.5 | 2.10.1 | 2.11.1 | 2.11.1 | [PR] |
| CVE-2023-25588 | binutils | 5.5 | 2.40 | 2.41 | 2.42 | [PR, PR] |
| CVE-2023-25586 | binutils | 5.5 | 2.40 | 2.41 | 2.42 | [PR, PR] |
| CVE-2023-25585 | binutils | 5.5 | 2.40 | 2.41 | 2.42 | [PR, PR] |
| CVE-2023-5341 | imagemagick | 5.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2016-10062 | imagemagick | 5.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9853 | imagemagick | 5.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9818 | imagemagick | 5.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9816 | imagemagick | 5.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9815 | imagemagick | 5.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9814 | imagemagick | 5.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9813 | imagemagick | 5.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9812 | imagemagick | 5.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9811 | imagemagick | 5.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9810 | imagemagick | 5.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9809 | imagemagick | 5.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9808 | imagemagick | 5.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9807 | imagemagick | 5.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9806 | imagemagick | 5.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2014-9805 | imagemagick | 5.5 | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 | |
| CVE-2024-28182 | nghttp2 | 5.3 | 1.57.0 | 1.61.0 | 1.61.0 | [PR, PR] |
| CVE-2023-46219 | curl | 5.3 | 8.4.0 | 8.7.1 | 8.7.1_7 | [PR] |
| CVE-2023-6780 | glibc | 5.3 | 2.38-44-source-u | [PR, PR] | ||
| CVE-2023-6780 | glibc | 5.3 | 2.38-44 | [PR, PR] | ||
| CVE-2023-6693 | qemu | 5.3 | 8.1.5 | 8.2.3 | 9.0.0 | [PR, PR, PR] |
| CVE-2023-48706 | vim | 4.7 | 9.0.2116 | 9.1.0200 | 9.1.0393 | [PR, PR] |
| GHSA-w596-4wvx-j9j6 | py | 1.11.0 | 1.11.0 | 1.11.0 | ||
| CVE-2024-24474 | qemu | 8.1.5 | 8.2.3 | 9.0.0 | ||
| CVE-2023-7235 | openvpn | 2.5.8 | 2.6.10 | 2.6.10 | ||
| OSV-2023-1295 | libraw | 0.21.1 | 0.21.2 | 0.21.2 | ||
| OSV-2023-184 | libraw | 0.21.1 | 0.21.2 | 0.21.2 | ||
| OSV-2023-90 | libraw | 0.21.1 | 0.21.2 | 0.21.2 | ||
| OSV-2022-819 | libraw | 0.21.1 | 0.21.2 | 0.21.2 | ||
| OSV-2020-1610 | openexr | 2.5.8 | 3.2.4 | 3.2.4 | ||
| OSV-2020-521 | aspell | 0.60.8 | 0.60.8.1 | 0.60.8.1 | ||
| OSV-2020-438 | capstone | 4.0.2 | 5.0.1 | 5.0.1 | ||
| CVE-2007-1667 | imagemagick | 7.1.1-29 | 7.1.1-30 | 7.1.1.32 |
Following table lists vulnerabilities currently impacting the Ghaf target that have emerged since the last time this vulnerability report was generated.
Consider whitelisting possible false positives based on manual analysis, or - if determined valid - help nixpkgs community fix the following issues in nixpkgs:
No vulnerabilities
Following table lists all vulnerabilities currently impacting the Ghaf target.
Consider whitelisting possible false positives based on manual analysis, or - if determined valid - help nixpkgs community fix the following issues in nixpkgs:
| vuln_id | package | severity | version_local | nix_unstable | upstream | comment |
|---|---|---|---|---|---|---|
| CVE-2024-22862 | ffmpeg | 9.8 | 6.0 | 7.0 | 7.0 | [PR] |
| CVE-2024-22862 | ffmpeg | 9.8 | 4.4.4 | |||
| CVE-2024-22860 | ffmpeg | 9.8 | 6.0 | 7.0 | 7.0 | [PR] |
| CVE-2024-22860 | ffmpeg | 9.8 | 4.4.4 | |||
| CVE-2023-47100 | perl | 9.8 | 5.38.0-env | 5.38.2 | 5.38.2 | [PR, PR] |
| CVE-2023-47100 | perl | 9.8 | 5.38.0 | 5.38.2 | 5.38.2 | [PR, PR] |
| CVE-2023-45853 | zlib | 9.8 | 1.3 | 1.3.1 | 1.3.1 | [PR, PR, PR] |
| CVE-2023-41913 | strongswan | 9.8 | 5.9.11 | 5.9.14 | 5.9.14 | [PR] |
| CVE-2023-6816 | xorg-server | 9.8 | 21.1.9 | 21.1.13 | 21.1.13 | |
| CVE-2021-28794 | ShellCheck | 9.8 | 0.9.0-r1.cabal | 0.10.0 | 0.10.0 | |
| CVE-2021-28794 | ShellCheck | 9.8 | 0.9.0 | 0.10.0 | 0.10.0 | |
| CVE-2023-5841 | openexr | 9.1 | 3.2.1 | 3.2.4 | 3.2.4 | [PR] |
| CVE-2023-5841 | openexr | 9.1 | 2.5.8 | 3.2.4 | 3.2.4 | [PR] |
| CVE-2023-45235 | edk2 | 8.8 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2023-45234 | edk2 | 8.8 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2023-45230 | edk2 | 8.8 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2023-2680 | qemu | 8.2 | 8.1.3 | 8.2.3 | 9.0.0 | |
| CVE-2023-43887 | libde265 | 8.1 | 1.0.12 | 1.0.15 | 1.0.15 | [PR, PR, PR, PR, PR] |
| CVE-2022-38023 | samba | 8.1 | 4.19.2 | 4.20.0 | 4.20.0 | |
| CVE-2022-37966 | samba | 8.1 | 4.19.2 | 4.20.0 | 4.20.0 | |
| CVE-2024-0985 | postgresql | 8.0 | 15.5 | 16.2 | 16.2 | [PR] |
| CVE-2024-31083 | xorg-server | 7.8 | 21.1.9 | 21.1.13 | 21.1.13 | [PR] |
| CVE-2024-22667 | vim | 7.8 | 9.0.2048 | 9.1.0200 | 9.1.0393 | [PR, PR] |
| CVE-2024-21886 | xorg-server | 7.8 | 21.1.9 | 21.1.13 | 21.1.13 | |
| CVE-2024-21885 | xorg-server | 7.8 | 21.1.9 | 21.1.13 | 21.1.13 | |
| CVE-2024-0409 | xorg-server | 7.8 | 21.1.9 | 21.1.13 | 21.1.13 | |
| CVE-2024-0229 | xorg-server | 7.8 | 21.1.9 | 21.1.13 | 21.1.13 | |
| CVE-2023-47470 | ffmpeg | 7.8 | 6.0 | 7.0 | 7.0 | [PR] |
| CVE-2023-47470 | ffmpeg | 7.8 | 4.4.4 | |||
| CVE-2023-46045 | graphviz | 7.8 | 9.0.0 | 10.0.1 | 11.0.0 | [PR] |
| CVE-2023-6246 | glibc | 7.8 | 2.38-27-source-u | [PR, PR, PR, PR] | ||
| CVE-2023-6246 | glibc | 7.8 | 2.38-27 | [PR, PR, PR, PR] | ||
| CVE-2023-4911 | glibc | 7.8 | 2.38-27-source-u | [PR, PR, PR] | ||
| CVE-2023-4911 | glibc | 7.8 | 2.38-27 | [PR, PR, PR] | ||
| CVE-2023-1386 | qemu | 7.8 | 8.1.3 | 8.2.3 | 9.0.0 | Revisit when fixed upstream: link. |
| CVE-2022-36765 | edk2 | 7.8 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2022-36764 | edk2 | 7.8 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2022-36763 | edk2 | 7.8 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2021-43138 | async | 7.8 | 2.2.4-r4.cabal | 2.2.5 | 2.2.5 | |
| CVE-2021-43138 | async | 7.8 | 2.2.4 | 2.2.5 | 2.2.5 | |
| CVE-2021-4034 | polkit | 7.8 | 1.pam | 123 | 124 | [PR, PR, PR, PR, PR] |
| CVE-2024-25062 | libxml2 | 7.5 | 2.11.5 | 2.12.6 | 2.12.6 | [PR, PR, PR] |
| CVE-2024-22861 | ffmpeg | 7.5 | 6.0 | 7.0 | 7.0 | [PR] |
| CVE-2024-22861 | ffmpeg | 7.5 | 4.4.4 | |||
| CVE-2024-0567 | gnutls | 7.5 | 3.8.2 | 3.8.4 | 3.8.5 | [PR, PR, PR] |
| CVE-2024-0553 | gnutls | 7.5 | 3.8.2 | 3.8.4 | 3.8.5 | [PR, PR, PR] |
| CVE-2023-52356 | libtiff | 7.5 | 4.6.0 | 4.6.0 | 4.6.0 | |
| CVE-2023-52355 | libtiff | 7.5 | 4.6.0 | 4.6.0 | 4.6.0 | |
| CVE-2023-50387 | unbound | 7.5 | 1.18.0 | 1.19.3 | 1.19.3 | [PR, PR, PR, PR, PR] |
| CVE-2023-50387 | dnsmasq | 7.5 | 2.89 | 2.90 | 2.90 | [PR, PR, PR, PR, PR] |
| CVE-2023-50387 | bind | 7.5 | 9.18.19 | 9.18.26 | 9.18.26 | [PR, PR, PR, PR, PR] |
| CVE-2023-45237 | edk2 | 7.5 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2023-45236 | edk2 | 7.5 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2023-45233 | edk2 | 7.5 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2023-45232 | edk2 | 7.5 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2023-28450 | dnsmasq | 7.5 | 2.89 | 2.90 | 2.90 | [PR, PR] |
| CVE-2023-6779 | glibc | 7.5 | 2.38-27-source-u | [PR, PR] | ||
| CVE-2023-6779 | glibc | 7.5 | 2.38-27 | [PR, PR] | ||
| CVE-2023-5679 | bind | 7.5 | 9.18.19 | 9.18.26 | 9.18.26 | [PR] |
| CVE-2023-5517 | bind | 7.5 | 9.18.19 | 9.18.26 | 9.18.26 | [PR] |
| CVE-2023-5156 | glibc | 7.5 | 2.38-27-source-u | |||
| CVE-2023-5156 | glibc | 7.5 | 2.38-27 | |||
| CVE-2023-4408 | bind | 7.5 | 9.18.19 | 9.18.26 | 9.18.26 | [PR] |
| CVE-2022-43357 | sassc | 7.5 | 3.6.2 | 3.6.2 | 3.6.2 | [PR, PR, PR] |
| CVE-2022-32743 | samba | 7.5 | 4.19.2 | 4.20.0 | 4.20.0 | |
| CVE-2020-27569 | openvpn | 7.5 | 2.5.8 | 2.6.10 | 2.6.10 | |
| CVE-2018-13162 | alex | 7.5 | 3.3.0.0 | 3.4.0.1 | 3.5.1.0 | |
| CVE-2024-31082 | xorg-server | 7.3 | 21.1.9 | 21.1.13 | 21.1.13 | |
| CVE-2024-31081 | xorg-server | 7.3 | 21.1.9 | 21.1.13 | 21.1.13 | |
| CVE-2024-31080 | xorg-server | 7.3 | 21.1.9 | 21.1.13 | 21.1.13 | |
| CVE-2024-24806 | libuv | 7.3 | 1.46.0 | 1.48.0 | 1.48.0 | [PR] |
| CVE-2022-37967 | samba | 7.2 | 4.19.2 | 4.20.0 | 4.20.0 | |
| CVE-2023-48161 | giflib | 7.1 | 5.2.1 | 5.2.2 | 5.2.2 | [PR, PR] |
| CVE-2023-5088 | qemu | 7.0 | 8.1.3 | 8.2.3 | 9.0.0 | [PR] |
| CVE-2023-51385 | openssh | 6.5 | 9.5p1 | 9.7p1 | 9.7p1 | [PR, PR, PR, PR] |
| CVE-2023-47471 | libde265 | 6.5 | 1.0.12 | 1.0.15 | 1.0.15 | [PR, PR, PR] |
| CVE-2023-46361 | jbig2dec | 6.5 | 0.20 | 0.20 | 0.20 | |
| CVE-2023-46218 | curl | 6.5 | 8.4.0 | 8.7.1 | 8.7.1_7 | [PR] |
| CVE-2023-45322 | libxml2 | 6.5 | 2.11.5 | 2.12.6 | 2.12.6 | [PR, PR] |
| CVE-2023-45231 | edk2 | 6.5 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2023-45229 | edk2 | 6.5 | 202311 | 202402 | 202402 | [PR, PR] |
| CVE-2023-38858 | faad2 | 6.5 | 2.10.1 | 2.11.1 | 2.11.1 | [PR] |
| CVE-2023-37769 | pixman | 6.5 | 0.42.2 | 0.43.4 | 0.43.4 | See: link: "This somehow got assigned CVE-2023-37769, not sure why NVD keeps assigning CVEs like this. This is just a test executable". |
| CVE-2023-6683 | qemu | 6.5 | 8.1.3 | 8.2.3 | 9.0.0 | [PR] |
| CVE-2023-6277 | libtiff | 6.5 | 4.6.0 | 4.6.0 | 4.6.0 | |
| CVE-2023-6129 | openssl | 6.5 | 3.0.12 | 3.2.0 | 3.2.0 | [PR, PR] |
| CVE-2023-4527 | glibc | 6.5 | 2.38-27-source-u | [PR] | ||
| CVE-2023-4527 | glibc | 6.5 | 2.38-27 | [PR] | ||
| CVE-2023-3019 | qemu | 6.5 | 8.1.3 | 8.2.3 | 9.0.0 | Revisit when fixed upstream: link. [PR] |
| CVE-2022-42012 | dbus | 6.5 | 1 | 1.14.10 | 1.14.10 | [PR, PR] |
| CVE-2022-42011 | dbus | 6.5 | 1 | 1.14.10 | 1.14.10 | [PR, PR] |
| CVE-2022-42010 | dbus | 6.5 | 1 | 1.14.10 | 1.14.10 | [PR, PR] |
| CVE-2021-46312 | djvulibre | 6.5 | 3.5.28 | 3.5.28 | 3.5.28 | |
| CVE-2021-46310 | djvulibre | 6.5 | 3.5.28 | 3.5.28 | 3.5.28 | |
| CVE-2021-3670 | samba | 6.5 | 4.19.2 | 4.20.0 | 4.20.0 | |
| CVE-2019-20503 | usrsctp | 6.5 | 0.9.5.0 | 0.9.5.0 | 0.9.5.0 | [PR, PR] |
| CVE-2024-1580 | dav1d | 5.9 | 1.2.1 | 1.4.1 | 1.4.1 | [PR, PR, PR, PR] |
| CVE-2023-48795 | openssh | 5.9 | 9.5p1 | 9.7p1 | 9.7p1 | [PR, PR, PR, PR, PR] |
| CVE-2023-48795 | libssh2 | 5.9 | 1.11.0 | 1.11.0 | 1.11.0 | [PR, PR, PR, PR, PR] |
| CVE-2023-48795 | libssh | 5.9 | 0.10.5 | 0.10.6 | 0.10.6 | [PR, PR, PR, PR, PR] |
| CVE-2024-22365 | linux-pam | 5.5 | 1.5.2 | [PR] | ||
| CVE-2024-0727 | openssl | 5.5 | 3.0.12 | 3.2.0 | 3.2.0 | [PR, PR] |
| CVE-2024-0684 | coreutils | 5.5 | 9.3 | 9.5 | 9.5 | [PR, PR] |
| CVE-2024-0408 | xorg-server | 5.5 | 21.1.9 | 21.1.13 | 21.1.13 | |
| CVE-2023-51384 | openssh | 5.5 | 9.5p1 | 9.7p1 | 9.7p1 | [PR, PR, PR, PR] |
| CVE-2023-51258 | yasm | 5.5 | 1.3.0 | 1.3.0 | 1.3.0 | |
| CVE-2023-50268 | jq | 5.5 | 1.7 | 1.7.1 | 1.7.1 | |
| CVE-2023-50246 | jq | 5.5 | 1.7 | 1.7.1 | 1.7.1 | |
| CVE-2023-46407 | ffmpeg | 5.5 | 6.0 | 7.0 | 7.0 | [PR] |
| CVE-2023-46407 | ffmpeg | 5.5 | 4.4.4 | |||
| CVE-2023-46246 | vim | 5.5 | 9.0.2048 | 9.1.0200 | 9.1.0393 | [PR, PR] |
| CVE-2023-42366 | busybox | 5.5 | 1.36.1 | 1.36.1 | 1.36.1 | |
| CVE-2023-42365 | busybox | 5.5 | 1.36.1 | 1.36.1 | 1.36.1 | |
| CVE-2023-42364 | busybox | 5.5 | 1.36.1 | 1.36.1 | 1.36.1 | |
| CVE-2023-42363 | busybox | 5.5 | 1.36.1 | 1.36.1 | 1.36.1 | |
| CVE-2023-39742 | giflib | 5.5 | 5.2.1 | 5.2.2 | 5.2.2 | [PR, PR] |
| CVE-2023-38857 | faad2 | 5.5 | 2.10.1 | 2.11.1 | 2.11.1 | [PR] |
| CVE-2023-38473 | avahi | 5.5 | 0.8 | 0.8 | 0.8 | [PR, PR, PR] |
| CVE-2023-38472 | avahi | 5.5 | 0.8 | 0.8 | 0.8 | [PR, PR, PR] |
| CVE-2023-38471 | avahi | 5.5 | 0.8 | 0.8 | 0.8 | [PR, PR, PR] |
| CVE-2023-38470 | avahi | 5.5 | 0.8 | 0.8 | 0.8 | [PR, PR, PR] |
| CVE-2023-38469 | avahi | 5.5 | 0.8 | 0.8 | 0.8 | [PR, PR, PR] |
| CVE-2023-25588 | binutils | 5.5 | 2.40 | 2.41 | 2.42 | [PR, PR] |
| CVE-2023-25586 | binutils | 5.5 | 2.40 | 2.41 | 2.42 | [PR, PR] |
| CVE-2023-25585 | binutils | 5.5 | 2.40 | 2.41 | 2.42 | [PR, PR] |
| CVE-2023-6992 | zlib | 5.5 | 1.3 | 1.3.1 | 1.3.1 | |
| CVE-2023-6228 | libtiff | 5.5 | 4.6.0 | 4.6.0 | 4.6.0 | |
| CVE-2022-1615 | samba | 5.5 | 4.19.2 | 4.20.0 | 4.20.0 | |
| CVE-2020-18781 | audiofile | 5.5 | 0.3.6 | 0.3.6 | 0.3.6 | |
| CVE-2017-8806 | postgresql | 5.5 | 15.5 | 16.2 | 16.2 | |
| CVE-2020-2136 | git | 5.4 | 2.42.0 | 2.44.0 | 2.45.0 | [PR, PR] |
| CVE-2024-28834 | gnutls | 5.3 | 3.8.2 | 3.8.4 | 3.8.5 | [PR] |
| CVE-2024-28182 | nghttp2 | 5.3 | 1.57.0 | 1.61.0 | 1.61.0 | [PR, PR] |
| CVE-2023-46219 | curl | 5.3 | 8.4.0 | 8.7.1 | 8.7.1_7 | [PR] |
| CVE-2023-7216 | cpio | 5.3 | 2.14 | 2.15 | 2.15 | |
| CVE-2023-6918 | libssh | 5.3 | 0.10.5 | 0.10.6 | 0.10.6 | [PR, PR, PR] |
| CVE-2023-6780 | glibc | 5.3 | 2.38-27-source-u | [PR, PR] | ||
| CVE-2023-6780 | glibc | 5.3 | 2.38-27 | [PR, PR] | ||
| CVE-2023-6693 | qemu | 5.3 | 8.1.3 | 8.2.3 | 9.0.0 | [PR, PR, PR] |
| CVE-2023-5680 | bind | 5.3 | 9.18.19 | 9.18.26 | 9.18.26 | |
| CVE-2023-5678 | openssl | 5.3 | 3.0.12 | 3.2.0 | 3.2.0 | [PR, PR] |
| CVE-2024-28835 | gnutls | 5 | 3.8.2 | 3.8.4 | 3.8.5 | [PR] |
| CVE-2023-6004 | libssh | 4.8 | 0.10.5 | 0.10.6 | 0.10.6 | [PR, PR, PR] |
| CVE-2023-4039 | gcc | 4.8 | 12.3.0 | 13.2.0 | 13.2.0 | |
| CVE-2023-48706 | vim | 4.7 | 9.0.2048 | 9.1.0200 | 9.1.0393 | [PR, PR] |
| CVE-2024-25629 | c-ares | 4.4 | 1.19.1 | 1.27.0 | 1.28.1 | [PR, PR] |
| CVE-2023-48237 | vim | 4.3 | 9.0.2048 | 9.1.0200 | 9.1.0393 | [PR, PR] |
| CVE-2023-48236 | vim | 4.3 | 9.0.2048 | 9.1.0200 | 9.1.0393 | [PR, PR] |
| CVE-2023-48235 | vim | 4.3 | 9.0.2048 | 9.1.0200 | 9.1.0393 | [PR, PR] |
| CVE-2023-48234 | vim | 4.3 | 9.0.2048 | 9.1.0200 | 9.1.0393 | [PR, PR] |
| CVE-2023-48233 | vim | 4.3 | 9.0.2048 | 9.1.0200 | 9.1.0393 | [PR, PR] |
| CVE-2023-48232 | vim | 4.3 | 9.0.2048 | 9.1.0200 | 9.1.0393 | [PR, PR] |
| CVE-2023-48231 | vim | 4.3 | 9.0.2048 | 9.1.0200 | 9.1.0393 | [PR, PR] |
| CVE-2018-14628 | samba | 4.3 | 4.19.2 | 4.20.0 | 4.20.0 | [PR] |
| GHSA-w596-4wvx-j9j6 | py | 1.11.0 | 1.11.0 | 1.11.0 | ||
| GHSA-fwr7-v2mv-hh25 | async | 2.2.4 | 2.2.5 | 2.2.5 | ||
| CVE-2024-24474 | qemu | 8.1.3 | 8.2.3 | 9.0.0 | ||
| OSV-2024-395 | libpcap | 1.10.4 | 1.10.4 | 1.10.4 | ||
| GHSA-gmwp-3pwc-3j3g | mockery | 0.3.5 | 0.3.5 | 0.3.5 | ||
| CVE-2023-7235 | openvpn | 2.5.8 | 2.6.10 | 2.6.10 | ||
| OSV-2023-1307 | libbpf | 1.2.2 | 1.4.0 | 1.4.1 | ||
| OSV-2023-877 | libbpf | 1.2.2 | 1.4.0 | 1.4.1 | ||
| OSV-2023-675 | flac | 1.4.3 | 1.4.3 | 1.4.3 | ||
| OSV-2023-505 | file | 5.45 | 5.45 | 5.45 | Unclear if this is still valid. | |
| OSV-2023-390 | qemu | 8.1.3 | 8.2.3 | 9.0.0 | Unclear if this is still valid. | |
| OSV-2023-364 | hunspell | 1.7.2 | 1.7.2 | 1.7.2 | ||
| OSV-2023-327 | hunspell | 1.7.2 | 1.7.2 | 1.7.2 | ||
| OSV-2023-298 | cairo | 1.18.0 | 1.17.13 | 1.17.13 | ||
| OSV-2023-197 | p11-kit | 0.25.0 | 0.25.3 | 0.25.3 | ||
| OSV-2023-14 | hunspell | 1.7.2 | 1.7.2 | 1.7.2 | ||
| OSV-2022-908 | bluez | 5.70 | 5.72 | 5.75 | Unclear if this is still valid. | |
| OSV-2022-896 | libsass | 3.6.5 | 3.6.6 | 3.6.6 | Unclear if this is still valid. | |
| OSV-2022-882 | hunspell | 1.7.2 | 1.7.2 | 1.7.2 | ||
| OSV-2022-859 | bluez | 5.70 | 5.72 | 5.75 | Unclear if this is still valid. | |
| OSV-2022-785 | dnsmasq | 2.89 | 2.90 | 2.90 | ||
| OSV-2022-725 | libjxl | 0.8.2 | 0.10.2 | 0.10.2 | Unclear if this is still valid. | |
| OSV-2022-608 | libjxl | 0.8.2 | 0.10.2 | 0.10.2 | Unclear if this is still valid. | |
| OSV-2022-581 | qemu | 8.1.3 | 8.2.3 | 9.0.0 | Unclear if this is still valid. | |
| OSV-2022-572 | dnsmasq | 2.89 | 2.90 | 2.90 | ||
| OSV-2022-530 | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | |
| OSV-2022-519 | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | |
| OSV-2022-462 | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | |
| OSV-2022-312 | dnsmasq | 2.89 | 2.90 | 2.90 | ||
| OSV-2022-193 | w3m | 0.5.3+git2023012 | 0.5.3+git2023012 | 0.5.3+git2023012 | Unclear if this is still valid. | |
| OSV-2021-1157 | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | |
| OSV-2021-1141 | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | |
| OSV-2021-1110 | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | |
| OSV-2021-1041 | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | |
| OSV-2021-1024 | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | |
| OSV-2021-802 | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | |
| OSV-2021-787 | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | |
| OSV-2021-765 | espeak-ng | 1.51.1 | 1.51.1 | 1.51.1 | Unclear if this is still valid. | |
| OSV-2021-508 | libsass | 3.6.5 | 3.6.6 | 3.6.6 | Unclear if this is still valid. | |
| OSV-2020-1610 | openexr | 2.5.8 | 3.2.4 | 3.2.4 | ||
| OSV-2020-1420 | libsass | 3.6.5 | 3.6.6 | 3.6.6 | ||
| OSV-2020-862 | libsass | 3.6.5 | 3.6.6 | 3.6.6 | ||
| OSV-2020-521 | aspell | 0.60.8 | 0.60.8.1 | 0.60.8.1 | ||
| OSV-2020-438 | capstone | 4.0.2 | 5.0.1 | 5.0.1 | ||
| CVE-2011-2411 | samba | 4.19.2 | 4.20.0 | 4.20.0 |
Following table lists vulnerabilities that would otherwise have been included to the report, but were left out due to whitelisting.
Whitelisted vulnerabilities
| vuln_id | package | severity | version_local | comment |
|---|---|---|---|---|
| CVE-2023-41330 | snappy | 9.8 | 1.2.0 | Incorrect package: Issue concerns snappy php library: link, whereas, nixpkgs "snappy" refers snappy compression library: link. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: link. |
| CVE-2023-41330 | snappy | 9.8 | 1.1.10 | Incorrect package: Issue concerns snappy php library: link, whereas, nixpkgs "snappy" refers snappy compression library: link. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: link. |
| CVE-2023-28115 | snappy | 9.8 | 1.2.0 | Incorrect package: Issue concerns snappy php library: link, whereas, nixpkgs "snappy" refers snappy compression library: link. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: link. |
| CVE-2023-28115 | snappy | 9.8 | 1.1.10 | Incorrect package: Issue concerns snappy php library: link, whereas, nixpkgs "snappy" refers snappy compression library: link. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: link. |
| CVE-2022-28321 | linux-pam | 9.8 | 1.5.2 | Only impacts SUSE-specific patch version. Notice: repology package name is pam: link. |
| CVE-2021-4336 | ninja | 9.8 | 1.11.1 | Incorrect package: nixpkgs 'ninja' refers link, not link. |
| CVE-2018-7263 | libmad | 9.8 | 0.15.1b | Based on link, issue is fixed by link. |
| CVE-2016-10141 | mujs | 9.8 | 1.3.4 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-10141 | mujs | 9.8 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-10133 | mujs | 9.8 | 1.3.4 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-10133 | mujs | 9.8 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-7504 | mujs | 9.8 | 1.3.4 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-7504 | mujs | 9.8 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2022-36882 | git | 8.8 | 2.44.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: link. |
| CVE-2022-36882 | git | 8.8 | 2.42.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: link. |
| CVE-2022-36073 | rubygems | 8.8 | 3.5.9 | Latest impacted version in 3.x is 3.0.4. |
| CVE-2022-36073 | rubygems | 8.8 | 3.4.22 | Latest impacted version in 3.x is 3.0.4. |
| CVE-2022-26592 | libsass | 8.8 | 3.6.5 | Pending upstream fix: link. |
| CVE-2021-23169 | openexr | 8.8 | 2.5.8 | False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR link which went to 2.5.7. |
| CVE-2018-6553 | cups | 8.8 | 2.4.7 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2017-5436 | graphite2 | 8.8 | 1.3.14 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2022-48434 | ffmpeg | 8.1 | 4.4.4 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.3 link. |
| CVE-2019-14586 | edk2 | 8.0 | 202311 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2019-14586 | edk2 | 8 | 202402 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2021-30499 | libcaca | 7.8 | 0.99.beta20 | NVD data issue: CPE entry does not correctly state the version numbers. Issue is fixed in v0.99.beta20: link. |
| CVE-2021-26720 | avahi | 7.8 | 0.8 | False positive: issue refers avahi-daemon-check-dns.sh in the Debian avahi package. As such, the issue is specific to Debian and its derivatives. |
| CVE-2019-14575 | edk2 | 7.8 | 202402 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2019-14575 | edk2 | 7.8 | 202311 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2019-14563 | edk2 | 7.8 | 202402 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2019-14563 | edk2 | 7.8 | 202311 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2017-5628 | mujs | 7.8 | 1.3.4 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2017-5628 | mujs | 7.8 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2017-5627 | mujs | 7.8 | 1.3.4 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2017-5627 | mujs | 7.8 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-2226 | libiberty | 7.8 | 13.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-2226 | libiberty | 7.8 | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2022-42969 | py | 7.5 | 1.11.0 | Disputed upstream: link. |
| CVE-2022-36883 | git | 7.5 | 2.44.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: link. |
| CVE-2022-36883 | git | 7.5 | 2.42.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: link. |
| CVE-2022-30947 | git | 7.5 | 2.44.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: link. |
| CVE-2022-30947 | git | 7.5 | 2.42.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: link. |
| CVE-2022-3109 | ffmpeg | 7.5 | 4.4.4 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 link. |
| CVE-2019-14559 | edk2 | 7.5 | 202402 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2019-14559 | edk2 | 7.5 | 202311 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2019-6470 | bind | 7.5 | 9.18.26 | Not valid: link. |
| CVE-2019-6470 | bind | 7.5 | 9.18.24 | Not valid: link. |
| CVE-2019-6470 | bind | 7.5 | 9.18.19 | Not valid: link. |
| CVE-2016-10132 | mujs | 7.5 | 1.3.4 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-10132 | mujs | 7.5 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-9294 | mujs | 7.5 | 1.3.4 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-9294 | mujs | 7.5 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-9136 | mujs | 7.5 | 1.3.4 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-9136 | mujs | 7.5 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-9109 | mujs | 7.5 | 1.3.4 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-9109 | mujs | 7.5 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-9108 | mujs | 7.5 | 1.3.4 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-9108 | mujs | 7.5 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-9017 | mujs | 7.5 | 1.3.4 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-9017 | mujs | 7.5 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-7564 | mujs | 7.5 | 1.3.4 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-7564 | mujs | 7.5 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-7563 | mujs | 7.5 | 1.3.4 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-7563 | mujs | 7.5 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-7506 | mujs | 7.5 | 1.3.4 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-7506 | mujs | 7.5 | 1.3.3 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-6131 | libiberty | 7.5 | 13.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-6131 | libiberty | 7.5 | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2019-12749 | dbus | 7.1 | 1 | Fixed with link (dbus version '1' in nixpkgs currently refers 1.14.8). |
| CVE-2014-4860 | edk2 | 6.8 | 202402 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2014-4860 | edk2 | 6.8 | 202311 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2014-4859 | edk2 | 6.8 | 202402 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2014-4859 | edk2 | 6.8 | 202311 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2022-26691 | cups | 6.7 | 2.4.7 | Fixed in nixpkgs with PR: link. |
| CVE-2023-3603 | libssh | 6.5 | 0.10.6 | Based on link and link, vulnerable code is not present in 0.10.5 or any currently released version. |
| CVE-2023-3603 | libssh | 6.5 | 0.10.5 | Based on link and link, vulnerable code is not present in 0.10.5 or any currently released version. |
| CVE-2022-38663 | git | 6.5 | 2.44.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: link. |
| CVE-2022-38663 | git | 6.5 | 2.42.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: link. |
| CVE-2022-37416 | libmpeg2 | 6.5 | 0.5.1 | NVD data issue: concerns Android only. |
| CVE-2022-0856 | libcaca | 6.5 | 0.99.beta20 | Crash in CLI tool, no security impact. |
| CVE-2020-24490 | bluez | 6.5 | 5.72 | Fixed in linux kernel (5.8) with: link. |
| CVE-2020-24490 | bluez | 6.5 | 5.70 | Fixed in linux kernel (5.8) with: link. |
| CVE-2019-14900 | fuse | 6.5 | 3.16.2 | Incorrect package: Issue concerns redhat fuse (link) not libfuse link which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. |
| CVE-2019-14900 | fuse | 6.5 | 2.9.9-closefrom- | Incorrect package: Issue concerns redhat fuse (link) not libfuse link which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. |
| CVE-2019-14900 | fuse | 6.5 | 2.9.9 | Incorrect package: Issue concerns redhat fuse (link) not libfuse link which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. |
| CVE-2019-14860 | fuse | 6.5 | 3.16.2 | Incorrect package: Issue concerns redhat fuse (link) not libfuse link which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. |
| CVE-2019-14860 | fuse | 6.5 | 2.9.9-closefrom- | Incorrect package: Issue concerns redhat fuse (link) not libfuse link which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. |
| CVE-2019-14860 | fuse | 6.5 | 2.9.9 | Incorrect package: Issue concerns redhat fuse (link) not libfuse link which is what 'fuse' package in nixpkgs refers. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives. |
| CVE-2019-14587 | edk2 | 6.5 | 202402 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2019-14587 | edk2 | 6.5 | 202311 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2019-12067 | qemu | 6.5 | 8.2.3 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2019-12067 | qemu | 6.5 | 8.1.5 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2019-12067 | qemu | 6.5 | 8.1.3 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-2781 | coreutils | 6.5 | 9.5 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-2781 | coreutils | 6.5 | 9.3 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2021-21684 | git | 6.1 | 2.44.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: link. |
| CVE-2021-21684 | git | 6.1 | 2.42.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: link. |
| CVE-2023-31974 | yasm | 5.5 | 1.3.0 | Crash in CLI tool, no security impact. |
| CVE-2023-31973 | yasm | 5.5 | 1.3.0 | Crash in CLI tool, no security impact. |
| CVE-2023-31972 | yasm | 5.5 | 1.3.0 | Crash in CLI tool, no security impact. |
| CVE-2023-30402 | yasm | 5.5 | 1.3.0 | Crash in CLI tool, no security impact. |
| CVE-2021-33468 | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. |
| CVE-2021-33467 | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. |
| CVE-2021-33466 | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. |
| CVE-2021-33465 | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. |
| CVE-2021-33464 | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. |
| CVE-2021-33463 | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. |
| CVE-2021-33462 | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. |
| CVE-2021-33461 | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. |
| CVE-2021-33460 | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. |
| CVE-2021-33459 | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. |
| CVE-2021-33458 | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. |
| CVE-2021-33457 | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. |
| CVE-2021-33456 | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. |
| CVE-2021-33455 | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. |
| CVE-2021-33454 | yasm | 5.5 | 1.3.0 | Issue is not fixed upstream. Other distributions have triaged the issue as minor or 'no security impact'. |
| CVE-2021-26945 | openexr | 5.5 | 2.5.8 | Fix patch link modifies a file that is not available in openexr 2. Thus, the fix doesn't apply to 2.5.8. |
| CVE-2021-26260 | openexr | 5.5 | 2.5.8 | False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR link which went to 2.5.5. |
| CVE-2021-23215 | openexr | 5.5 | 2.5.8 | False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR link which went to 2.5.5. |
| CVE-2021-20255 | qemu | 5.5 | 8.2.3 | Upstream patch not merged: link. No point fixing this in nixpkgs as long as it is not fixed upstream. |
| CVE-2021-20255 | qemu | 5.5 | 8.1.5 | Upstream patch not merged: link. No point fixing this in nixpkgs as long as it is not fixed upstream. |
| CVE-2021-20255 | qemu | 5.5 | 8.1.3 | Upstream patch not merged: link. No point fixing this in nixpkgs as long as it is not fixed upstream. |
| CVE-2021-3605 | openexr | 5.5 | 2.5.8 | False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR link which went to 2.5.7. |
| CVE-2021-3598 | openexr | 5.5 | 2.5.8 | False positive to the NVD data issue. Fixed in openexr 2.5.8. Upstream fix PR link which went to 2.5.7. |
| CVE-2019-20633 | patch | 5.5 | 2.7.6 | Upstream patch is not merged: link. Not sure why this isn't fixed upstream. No point fixing this in nixpkgs as long as it is not fixed upstream. |
| CVE-2019-14562 | edk2 | 5.5 | 202402 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2019-14562 | edk2 | 5.5 | 202311 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2019-6293 | flex | 5.5 | 2.6.4 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2018-18438 | qemu | 5.5 | 8.2.3 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2018-18438 | qemu | 5.5 | 8.1.5 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2018-18438 | qemu | 5.5 | 8.1.3 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-4493 | libiberty | 5.5 | 13.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-4493 | libiberty | 5.5 | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-4491 | libiberty | 5.5 | 13.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-4491 | libiberty | 5.5 | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-4490 | libiberty | 5.5 | 13.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-4490 | libiberty | 5.5 | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-4489 | libiberty | 5.5 | 13.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-4489 | libiberty | 5.5 | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-4488 | libiberty | 5.5 | 13.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-4488 | libiberty | 5.5 | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-4487 | libiberty | 5.5 | 13.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-4487 | libiberty | 5.5 | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2015-7313 | libtiff | 5.5 | 4.6.0 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2022-36884 | git | 5.3 | 2.44.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: link. |
| CVE-2022-36884 | git | 5.3 | 2.42.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: link. |
| CVE-2022-3341 | ffmpeg | 5.3 | 4.4.4 | Scanners get confused by LTS release versions (non-linear version numbers). Upstream fix patch for 4.4.x is merged in 4.4.4 link. |
| CVE-2020-16194 | quote | 5.3 | 1.0.35 | Incorrect package: Issue concerns prestashop product: link, whereas, nixpkgs "quote" refers rust package 'quote': link. |
| CVE-2020-16194 | quote | 5.3 | 1.0.33 | Incorrect package: Issue concerns prestashop product: link, whereas, nixpkgs "quote" refers rust package 'quote': link. |
| CVE-2019-14553 | edk2 | 4.9 | 202402 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2019-14553 | edk2 | 4.9 | 202311 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-4492 | libiberty | 4.4 | 13.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2016-4492 | libiberty | 4.4 | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. |
| CVE-2019-1003010 | git | 4.3 | 2.44.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: link. |
| CVE-2019-1003010 | git | 4.3 | 2.42.0 | Incorrect package: Impacts Jenkins git plugin, not git. Issue gets included to the report due to vulnix's design decision to avoid false negatives with the cost of false positives: link. |
| CVE-2023-31975 | yasm | 3.3 | 1.3.0 | Memory leak in CLI tool, no security impact. |
| CVE-2022-3219 | gnupg | 3.3 | 2.4.5 | Fix patch is not accepted upstream: link. |
| CVE-2022-3219 | gnupg | 3.3 | 2.4.4 | Fix patch is not accepted upstream: link. |
| CVE-2022-3219 | gnupg | 3.3 | 2.4.1 | Fix patch is not accepted upstream: link. |
| CVE-2021-4217 | unzip | 3.3 | 6.0 | Ignored by other distribution as 'no security impact', e.g. Debian: link. |
| OSV-2023-137 | harfbuzz | 8.4.0 | Based on link, the issue is fixed in range link all of which have been merged in 7.1.0. | |
| OSV-2023-137 | harfbuzz | 7.3.0 | Based on link, the issue is fixed in range link all of which have been merged in 7.1.0. | |
| PYSEC-2022-42969 | py | 1.11.0 | Same as CVE-2022-42969. | |
| MAL-2022-4301 | libidn2 | 2.3.7 | Incorrect package: Issue refers npm libidn2, whereas, nixpkgs refers libidn2 link. | |
| MAL-2022-4301 | libidn2 | 2.3.4 | Incorrect package: Issue refers npm libidn2, whereas, nixpkgs refers libidn2 link. | |
| OSV-2022-416 | openjpeg | 2.5.0 | Fixed based on link. | |
| OSV-2022-183 | binutils | 2.40 | Fixed based on link. | |
| OSV-2021-820 | qemu | 8.2.3 | Fixed based on link. | |
| OSV-2021-820 | qemu | 8.1.5 | Fixed based on link. | |
| OSV-2021-820 | qemu | 8.1.3 | Fixed based on link. | |
| OSV-2021-777 | libxml2 | 2.12.6 | Fixed by link, which went to 2.9.13. Therefore, this issue is fixed in 2.10.4. | |
| OSV-2021-777 | libxml2 | 2.11.7 | Fixed by link, which went to 2.9.13. Therefore, this issue is fixed in 2.10.4. | |
| OSV-2021-777 | libxml2 | 2.11.5 | Fixed by link, which went to 2.9.13. Therefore, this issue is fixed in 2.10.4. | |
| CVE-2014-9157 | graphviz | 9.0.0 | NVD data issue: CPE entry does not correctly state the version numbers. | |
| CVE-2014-9157 | graphviz | 10.0.1 | NVD data issue: CPE entry does not correctly state the version numbers. | |
| CVE-2012-3509 | libiberty | 13.2.0 | NVD data issue: CPE entry does not correctly state the version numbers. | |
| CVE-2012-3509 | libiberty | 12.3.0 | NVD data issue: CPE entry does not correctly state the version numbers. | |
| CVE-2010-4226 | cpio | 2.15 | NVD data issue: concerns OpenSuSE, not cpio. | |
| CVE-2010-4226 | cpio | 2.14 | NVD data issue: concerns OpenSuSE, not cpio. |