From 66fdb21c71c6b3e4da292c4f7429eaac61420986 Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Fri, 8 Sep 2023 13:06:02 -0400 Subject: [PATCH] data: preserve cve references for some reports Change-Id: Ifbd6abd25190afcc136f4d8294fd3302582e1f8f Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/526266 LUCI-TryBot-Result: Go LUCI Reviewed-by: Damien Neil --- data/cve/v5/GO-2022-0956.json | 12 ++++++++++++ data/cve/v5/GO-2022-1144.json | 12 ++++++++++++ data/cve/v5/GO-2023-1495.json | 6 ++++++ data/cve/v5/GO-2023-1839.json | 3 +++ data/cve/v5/GO-2023-1840.json | 3 +++ data/cve/v5/GO-2023-1841.json | 3 +++ data/cve/v5/GO-2023-1842.json | 3 +++ data/cve/v5/GO-2023-1878.json | 3 +++ data/cve/v5/GO-2023-1987.json | 3 +++ data/cve/v5/GO-2023-1989.json | 3 +++ data/cve/v5/GO-2023-1990.json | 3 +++ data/reports/GO-2022-0956.yaml | 4 ++++ data/reports/GO-2022-1144.yaml | 5 ++++- data/reports/GO-2023-1495.yaml | 3 +++ data/reports/GO-2023-1839.yaml | 1 + data/reports/GO-2023-1840.yaml | 1 + data/reports/GO-2023-1841.yaml | 1 + data/reports/GO-2023-1842.yaml | 1 + data/reports/GO-2023-1878.yaml | 2 ++ data/reports/GO-2023-1987.yaml | 6 ++++-- data/reports/GO-2023-1989.yaml | 12 ++++++------ data/reports/GO-2023-1990.yaml | 11 +++++++---- 22 files changed, 88 insertions(+), 13 deletions(-) diff --git a/data/cve/v5/GO-2022-0956.json b/data/cve/v5/GO-2022-0956.json index 4d399413..9ba09bf1 100644 --- a/data/cve/v5/GO-2022-0956.json +++ b/data/cve/v5/GO-2022-0956.json @@ -75,6 +75,18 @@ }, { "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/" } ] } diff --git a/data/cve/v5/GO-2022-1144.json b/data/cve/v5/GO-2022-1144.json index 6342d869..1be7746f 100644 --- a/data/cve/v5/GO-2022-1144.json +++ b/data/cve/v5/GO-2022-1144.json @@ -128,6 +128,18 @@ }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PUM4DIVOLJCBK5ZDP4LJOL24GXT3YSIR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q52IQI754YAE4XPR4QBRWPIVZWYGZ4FS/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4/" } ], "credits": [ diff --git a/data/cve/v5/GO-2023-1495.json b/data/cve/v5/GO-2023-1495.json index fd23073f..d71cfe99 100644 --- a/data/cve/v5/GO-2023-1495.json +++ b/data/cve/v5/GO-2023-1495.json @@ -60,6 +60,12 @@ }, { "url": "https://pkg.go.dev/vuln/GO-2023-1495" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5DXTLLWN6HKI5I35EUZRBISTNZJ75GP/" } ], "credits": [ diff --git a/data/cve/v5/GO-2023-1839.json b/data/cve/v5/GO-2023-1839.json index 8a6b535c..91bc904b 100644 --- a/data/cve/v5/GO-2023-1839.json +++ b/data/cve/v5/GO-2023-1839.json @@ -64,6 +64,9 @@ }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/" } ], "credits": [ diff --git a/data/cve/v5/GO-2023-1840.json b/data/cve/v5/GO-2023-1840.json index b778865b..e4eef3ad 100644 --- a/data/cve/v5/GO-2023-1840.json +++ b/data/cve/v5/GO-2023-1840.json @@ -64,6 +64,9 @@ }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/" } ], "credits": [ diff --git a/data/cve/v5/GO-2023-1841.json b/data/cve/v5/GO-2023-1841.json index 0afc339d..50ca12cd 100644 --- a/data/cve/v5/GO-2023-1841.json +++ b/data/cve/v5/GO-2023-1841.json @@ -64,6 +64,9 @@ }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/" } ], "credits": [ diff --git a/data/cve/v5/GO-2023-1842.json b/data/cve/v5/GO-2023-1842.json index 12cb84da..06e46d0a 100644 --- a/data/cve/v5/GO-2023-1842.json +++ b/data/cve/v5/GO-2023-1842.json @@ -85,6 +85,9 @@ }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/" } ], "credits": [ diff --git a/data/cve/v5/GO-2023-1878.json b/data/cve/v5/GO-2023-1878.json index 1b6ef56b..6fcac14a 100644 --- a/data/cve/v5/GO-2023-1878.json +++ b/data/cve/v5/GO-2023-1878.json @@ -111,6 +111,9 @@ }, { "url": "https://pkg.go.dev/vuln/GO-2023-1878" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230814-0002/" } ], "credits": [ diff --git a/data/cve/v5/GO-2023-1987.json b/data/cve/v5/GO-2023-1987.json index f85c57c6..4b2d159b 100644 --- a/data/cve/v5/GO-2023-1987.json +++ b/data/cve/v5/GO-2023-1987.json @@ -99,6 +99,9 @@ }, { "url": "https://pkg.go.dev/vuln/GO-2023-1987" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230831-0010/" } ], "credits": [ diff --git a/data/cve/v5/GO-2023-1989.json b/data/cve/v5/GO-2023-1989.json index 6d4ad1a9..0e43cf55 100644 --- a/data/cve/v5/GO-2023-1989.json +++ b/data/cve/v5/GO-2023-1989.json @@ -63,6 +63,9 @@ }, { "url": "https://pkg.go.dev/vuln/GO-2023-1989" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230831-0009/" } ], "credits": [ diff --git a/data/cve/v5/GO-2023-1990.json b/data/cve/v5/GO-2023-1990.json index 36fa4a1b..89ee5b2e 100644 --- a/data/cve/v5/GO-2023-1990.json +++ b/data/cve/v5/GO-2023-1990.json @@ -63,6 +63,9 @@ }, { "url": "https://pkg.go.dev/vuln/GO-2023-1990" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230831-0009/" } ], "credits": [ diff --git a/data/reports/GO-2022-0956.yaml b/data/reports/GO-2022-0956.yaml index b6153652..bddc941a 100644 --- a/data/reports/GO-2022-0956.yaml +++ b/data/reports/GO-2022-0956.yaml @@ -29,3 +29,7 @@ cve_metadata: cwe: 'CWE 400: Uncontrolled Resource Consumption' references: - https://lists.debian.org/debian-lts-announce/2023/07/msg00001.html + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/ + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/ + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/ + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/ diff --git a/data/reports/GO-2022-1144.yaml b/data/reports/GO-2022-1144.yaml index bedcaf71..8c67ad74 100644 --- a/data/reports/GO-2022-1144.yaml +++ b/data/reports/GO-2022-1144.yaml @@ -55,4 +55,7 @@ cve_metadata: - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QBKBAZBIOXZV5QCFHZNSVXULR32XJCYD/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NQGNAXK3YBPMUP3J4TECIRDHFGW37522/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PUM4DIVOLJCBK5ZDP4LJOL24GXT3YSIR/ - + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/ + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/ + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q52IQI754YAE4XPR4QBRWPIVZWYGZ4FS/ + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4/ diff --git a/data/reports/GO-2023-1495.yaml b/data/reports/GO-2023-1495.yaml index f6d7b8a2..7663a0f1 100644 --- a/data/reports/GO-2023-1495.yaml +++ b/data/reports/GO-2023-1495.yaml @@ -28,3 +28,6 @@ references: cve_metadata: id: CVE-2022-41721 cwe: 'CWE 444: Inconsistent Interpretation of HTTP Requests ("HTTP Request/Response Smuggling)' + references: + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN/ + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5DXTLLWN6HKI5I35EUZRBISTNZJ75GP/ diff --git a/data/reports/GO-2023-1839.yaml b/data/reports/GO-2023-1839.yaml index 322e7675..5a565006 100644 --- a/data/reports/GO-2023-1839.yaml +++ b/data/reports/GO-2023-1839.yaml @@ -28,3 +28,4 @@ cve_metadata: cwe: 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' references: - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/ + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/ diff --git a/data/reports/GO-2023-1840.yaml b/data/reports/GO-2023-1840.yaml index bf38527c..d591bec7 100644 --- a/data/reports/GO-2023-1840.yaml +++ b/data/reports/GO-2023-1840.yaml @@ -30,3 +30,4 @@ cve_metadata: cwe: 'CWE-642: External Control of Critical State Data' references: - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/ + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/ diff --git a/data/reports/GO-2023-1841.yaml b/data/reports/GO-2023-1841.yaml index bc4da6ca..e0251b9f 100644 --- a/data/reports/GO-2023-1841.yaml +++ b/data/reports/GO-2023-1841.yaml @@ -29,3 +29,4 @@ cve_metadata: cwe: 'CWE-94: Improper Control of Generation of Code ("Code Injection")' references: - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/ + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/ diff --git a/data/reports/GO-2023-1842.yaml b/data/reports/GO-2023-1842.yaml index 9e62e6d5..fe7e7492 100644 --- a/data/reports/GO-2023-1842.yaml +++ b/data/reports/GO-2023-1842.yaml @@ -30,3 +30,4 @@ cve_metadata: cwe: 'CWE-88: Improper Neutralization of Argument Delimiters in a Command (''Argument Injection'')' references: - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/ + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/ diff --git a/data/reports/GO-2023-1878.yaml b/data/reports/GO-2023-1878.yaml index e33f19d4..d38d17c0 100644 --- a/data/reports/GO-2023-1878.yaml +++ b/data/reports/GO-2023-1878.yaml @@ -43,3 +43,5 @@ references: cve_metadata: id: CVE-2023-29406 cwe: 'CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (''HTTP Request/Response Splitting'')' + references: + - https://security.netapp.com/advisory/ntap-20230814-0002/ diff --git a/data/reports/GO-2023-1987.yaml b/data/reports/GO-2023-1987.yaml index e3e55c6d..3edaf195 100644 --- a/data/reports/GO-2023-1987.yaml +++ b/data/reports/GO-2023-1987.yaml @@ -27,8 +27,8 @@ description: |- Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. - With fix, the size of RSA keys transmitted during handshakes is - restricted to <= 8192 bits. + With fix, the size of RSA keys transmitted during handshakes is restricted to <= + 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to @@ -45,3 +45,5 @@ references: cve_metadata: id: CVE-2023-29409 cwe: 'CWE-400: Uncontrolled Resource Consumption' + references: + - https://security.netapp.com/advisory/ntap-20230831-0010/ diff --git a/data/reports/GO-2023-1989.yaml b/data/reports/GO-2023-1989.yaml index 85b798a0..c4e1fc51 100644 --- a/data/reports/GO-2023-1989.yaml +++ b/data/reports/GO-2023-1989.yaml @@ -13,12 +13,10 @@ modules: - DecodeConfig summary: Excessive resource consumption in golang.org/x/image/tiff description: |- - The TIFF decoder does not place a limit on the size of - compressed tile data. A maliciously-crafted image can - exploit this to cause a small image (both in terms of - pixel width/height, and encoded size) to make the decoder - decode large amounts of compressed data, consuming - excessive memory and CPU. + The TIFF decoder does not place a limit on the size of compressed tile data. A + maliciously-crafted image can exploit this to cause a small image (both in terms + of pixel width/height, and encoded size) to make the decoder decode large + amounts of compressed data, consuming excessive memory and CPU. credits: - Philippe Antoine (Catena cyber) references: @@ -27,3 +25,5 @@ references: cve_metadata: id: CVE-2023-29408 cwe: 'CWE-770: Allocation of Resources Without Limits or Throttling' + references: + - https://security.netapp.com/advisory/ntap-20230831-0009/ diff --git a/data/reports/GO-2023-1990.yaml b/data/reports/GO-2023-1990.yaml index 71ed2120..da77530a 100644 --- a/data/reports/GO-2023-1990.yaml +++ b/data/reports/GO-2023-1990.yaml @@ -11,13 +11,14 @@ modules: derived_symbols: - Decode - DecodeConfig -summary: Excessive CPU consumption when decoding 0-height images in golang.org/x/image/tiff +summary: |- + Excessive CPU consumption when decoding 0-height images in + golang.org/x/image/tiff description: |- A maliciously-crafted image can cause excessive CPU consumption in decoding. - A tiled image with a height of 0 and a very large width can cause - excessive CPU consumption, despite the image size (width * height) - appearing to be zero. + A tiled image with a height of 0 and a very large width can cause excessive CPU + consumption, despite the image size (width * height) appearing to be zero. credits: - Philippe Antoine (Catena cyber) references: @@ -26,3 +27,5 @@ references: cve_metadata: id: CVE-2023-29407 cwe: 'CWE-834: Excessive Iteration' + references: + - https://security.netapp.com/advisory/ntap-20230831-0009/