Select report:
Filter results:
Filter-out (grep -v)
? errors
View the raw report
    package: jbig2dec
    ftp version: 0.19
    severity: MEDIUM
    summary: Use-of-uninitialized-value in jbig2_arith_decode
    published: 2020-07-14T05:37:48.869064Z
    affects: 0.18, 0.19
    references: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23762



    package: libarchive
    ftp version: 3.5.2
    severity: HIGH
    summary: Heap-use-after-free in copy_string
    published: 2021-03-25T00:01:05.489589Z
    affects: 3.5.1, v3.4.1, v3.4.2, v3.4.3, v3.5.0, v3.5.1, v3.5.2
    references: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32375



    package: libheif
    ftp version: 1.12.0
    severity: MEDIUM
    summary: Heap-buffer-overflow in Op_YCbCr_to_RGB::convert_colorspace
    published: 2020-08-30T00:00:07.006768Z
    affects: v1.10.0, v1.11.0, v1.8.0, v1.9.0, v1.9.1, v1.12.0
    references: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25267



    package: libheif
    ftp version: 1.12.0
    severity: MEDIUM
    summary: Heap-buffer-overflow in derive_collocated_motion_vectors
    published: 2021-02-10T00:00:17.357392Z
    affects: v1.10.0, v1.11.0, v1.12.0, v1.8.0, v1.9.0, v1.9.1
    references: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30568



    package: libheif
    ftp version: 1.12.0
    severity: None
    summary: Global-buffer-overflow in read_coding_unit
    published: 2021-04-03T00:00:33.651641Z
    affects: v1.10.0, v1.11.0, v1.12.0
    references: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32791



    package: libpcap
    ftp version: 1.10.0
    severity: MEDIUM
    summary: Use-of-uninitialized-value in pcap_filter_with_aux_data
    published: 2020-07-14T05:37:43.627443Z
    affects: libpcap-1.10-bp, libpcap-1.10.0, libpcap-1.10.1
    references: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22220



    package: libredwg
    ftp version: 0.12.4
    severity: None
    summary: Segv on unknown address in dwg_free_summaryinfo
    published: 2021-04-10T00:00:11.142635Z
    affects: 0.12.3.4163, 0.12.3.4165, 0.12.3.4167, 0.12.3.4173, 0.12.3.4176, 0.12.3.4178, 0.12.3.4180, 0.12.3.4185, 0.12.3.4189, 0.12.3.4191, 0.12.3.4194, 0.12.3.4201, 0.12.3.4203, 0.12.3.4206, 0.12.3.4219, 0.12.3.4221, 0.12.3.4229, 0.12.3.4231, 0.12.3.4244, 0.12.3.4248, 0.12.3.4250, 0.12.3.4253, 0.12.3.4261, 0.12.3.4264, 0.12.3.4267, 0.12.3.4270, 0.12.3.4273, 0.12.3.4280, 0.12.4, 0.12.4.4288, 0.12.4.4296, 0.12.4.4298, 0.12.4.4300, 0.12.4.4302, 0.12.4.4307, 0.12.4.4313, 0.12.4.4317, 0.12.4.4321, 0.12.4.4324, 0.12.4.4331, 0.12.4.4338, 0.12.4.4343, 0.12.4.4348
    references: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33059



    package: libredwg
    ftp version: 0.12.4
    severity: None
    summary: Heap-use-after-free in dwg_free_TABLEGEOMETRY_private
    published: 2021-05-18T00:00:05.875957Z
    affects: 0.12.3.4163, 0.12.3.4165, 0.12.3.4167, 0.12.3.4173, 0.12.3.4176, 0.12.3.4178, 0.12.3.4180, 0.12.3.4185, 0.12.3.4189, 0.12.3.4191, 0.12.3.4194, 0.12.3.4201, 0.12.3.4203, 0.12.3.4206, 0.12.3.4219, 0.12.3.4221, 0.12.3.4229, 0.12.3.4231, 0.12.3.4244, 0.12.3.4248, 0.12.3.4250, 0.12.3.4253, 0.12.3.4261, 0.12.3.4264, 0.12.3.4267, 0.12.3.4270, 0.12.3.4273, 0.12.3.4280, 0.12.4, 0.12.4.4288, 0.12.4.4296, 0.12.4.4298, 0.12.4.4300, 0.12.4.4302, 0.12.4.4307, 0.12.4.4313, 0.12.4.4317, 0.12.4.4321, 0.12.4.4324, 0.12.4.4331, 0.12.4.4338, 0.12.4.4343, 0.12.4.4348
    references: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34377



    package: libsass
    ftp version: 3.6.0
    severity: HIGH
    summary: Bad-cast to Sass::PreValue from Sass::Unary_Expression
    published: 2020-07-28T00:00:14.887375Z
    affects: 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5
    references: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15896



    package: libsass
    ftp version: 3.6.0
    severity: MEDIUM
    summary: Heap-buffer-overflow in Sass::Prelexer::quoted_string
    published: 2020-07-01T00:00:27.416077Z
    affects: 3.6.0, 3.6.1, 3.6.2, 3.6.3
    references: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15890



    package: libxml2
    ftp version: 2.9.12
    severity: HIGH
    summary: Heap-use-after-free in xmlAddNextSibling
    published: 2021-05-20T00:00:30.166614Z
    affects: CVE-2021-3541, v2.9.11, v2.9.12
    references: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34461



    package: python-cjson
    ftp version: 1.0.5
    severity:
    summary: Dan Pascu python-cjson 1.0.5 does not properly handle a ['/'] argument to cjson.encode, which makes it easier for remote attackers to conduct certain cross-site scripting (XSS) attacks involving Firefox and the end tag of a SCRIPT element.
    published: 2010-07-02T19:30:00Z
    affects: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5
    references: http://t3.dotgnu.info/blog/insecurity/quotes-dont-help.html http://pypi.python.org/pypi/python-cjson/



    package: python-cjson
    ftp version: 1.0.5
    severity:
    summary: Buffer overflow in Dan Pascu python-cjson 1.0.5, when UCS-4 encoding is enabled, allows context-dependent attackers to cause a denial of service (application crash) or possibly have unspecified other impact via vectors involving crafted Unicode input to the cjson.encode function.
    published: 2010-07-02T19:00:00Z
    affects: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5
    references: http://secunia.com/advisories/40335 https://bugs.launchpad.net/ubuntu/+source/python-cjson/+bug/585274 http://www.vupen.com/english/advisories/2010/1774 http://www.debian.org/security/2010/dsa-2068 http://secunia.com/advisories/40500



    package: python-gnupg
    ftp version: 0.3.2
    severity:
    summary: python-gnupg before 0.3.5 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.
    published: 2014-06-09T19:55:00Z
    affects: 0.2.3, 0.2.4, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4
    references: http://seclists.org/oss-sec/2014/q1/244 https://code.google.com/p/python-gnupg/ http://seclists.org/oss-sec/2014/q1/294 http://seclists.org/oss-sec/2014/q1/243 http://secunia.com/advisories/56616 http://www.debian.org/security/2014/dsa-2946 http://secunia.com/advisories/59031



    package: python-gnupg
    ftp version: 0.3.2
    severity:
    summary: The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulnerability than CVE-2014-1927. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.
    published: 2014-10-25T21:55:00Z
    affects: 0.2.3, 0.2.4, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5
    references: http://www.debian.org/security/2014/dsa-2946 https://code.google.com/p/python-gnupg/issues/detail?id=98 http://secunia.com/advisories/56616 http://secunia.com/advisories/59031 http://seclists.org/oss-sec/2014/q1/294 https://code.google.com/p/python-gnupg/ http://seclists.org/oss-sec/2014/q1/246



    package: python-gnupg
    ftp version: 0.3.2
    severity:
    summary: python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.
    published: 2019-03-21T16:01:00Z
    affects: 0.2.3, 0.2.4, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.4.0, 0.4.1, 0.4.2, 0.4.3
    references: https://seclists.org/bugtraq/2019/Jan/41 https://pypi.org/project/python-gnupg/#history https://lists.debian.org/debian-lts-announce/2019/02/msg00021.html http://www.securityfocus.com/bid/106756 http://packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-Validation.html http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00058.html http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00008.html https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability/ https://usn.ubuntu.com/3964-1/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W6KYZMN2PWXY4ENZVJUVTGFBVYEVY7II/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4VFRUG56542LTYK4444TPJBGR57MT25/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WMV6XNPPL3VB3RQRFFOBCJ3AGWC4K47/



    package: python-gnupg
    ftp version: 0.3.2
    severity:
    summary: python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.
    published: 2019-03-21T16:01:00Z
    affects: 0.2.3, 0.2.4, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.4.0, 0.4.1, 0.4.2, 0.4.3
    references: https://seclists.org/bugtraq/2019/Jan/41 https://pypi.org/project/python-gnupg/#history https://lists.debian.org/debian-lts-announce/2019/02/msg00021.html http://www.securityfocus.com/bid/106756 http://packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-Validation.html http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00058.html http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00008.html https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability/ https://usn.ubuntu.com/3964-1/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W6KYZMN2PWXY4ENZVJUVTGFBVYEVY7II/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4VFRUG56542LTYK4444TPJBGR57MT25/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WMV6XNPPL3VB3RQRFFOBCJ3AGWC4K47/



    package: python-jose
    ftp version: 1.0.0
    severity:
    summary: python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys.
    published: 2017-01-23T21:59:00Z
    affects: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.6.1, 0.6.2, 0.7.0, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1
    references: https://github.com/mpdavis/python-jose/releases/tag/1.3.2 https://github.com/mpdavis/python-jose/pull/35/commits/89b46353b9f611e9da38de3d2fedf52331167b93 http://www.securityfocus.com/bid/95845



    package: qemu
    ftp version: 5.2.0
    severity: MEDIUM
    summary: Heap-buffer-overflow in msix_vector_masked
    published: 2020-11-15T22:34:13.437070Z
    affects: v5.2.0, v5.2.0-rc1, v5.2.0-rc2, v5.2.0-rc3, v5.2.0-rc4
    references: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27418



    package: qemu
    ftp version: 5.2.0
    severity: HIGH
    summary: Heap-use-after-free in e1000e_write_packet_to_guest
    published: 2020-12-04T00:00:19.497055Z
    affects: v5.2.0, v5.2.0-rc2, v5.2.0-rc3, v5.2.0-rc4
    references: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28194



    package: qpdf
    ftp version: 9.1.1
    severity: MEDIUM
    summary: Use-of-uninitialized-value in QPDFWriter::unparseObject
    published: 2020-07-28T00:00:11.620686Z
    affects: release-qpdf-10.0.0, release-qpdf-10.0.1, release-qpdf-9.1.0, release-qpdf-9.1.1, release-qpdf-9.1.rc1
    references: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18633



    package: qpdf
    ftp version: 9.1.1
    severity: HIGH
    summary: Heap-buffer-overflow in Pl_ASCII85Decoder::write
    published: 2020-12-06T00:00:11.834199Z
    affects: release-qpdf-10.0.0, release-qpdf-10.0.1, release-qpdf-10.0.2, release-qpdf-10.0.3, release-qpdf-10.0.4, release-qpdf-9.0.0, release-qpdf-9.0.1, release-qpdf-9.0.2, release-qpdf-9.1.0, release-qpdf-9.1.1, release-qpdf-9.1.rc1
    references: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28262



    package: qpdf
    ftp version: 9.1.1
    severity: MEDIUM
    summary: Use-of-uninitialized-value in read_markers
    published: 2020-07-14T05:37:42.500988Z
    affects: release-qpdf-10.0.0, release-qpdf-10.0.1, release-qpdf-9.0.0, release-qpdf-9.0.1, release-qpdf-9.0.2, release-qpdf-9.1.0, release-qpdf-9.1.1, release-qpdf-9.1.rc1
    references: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23581



    package: qpdf
    ftp version: 9.1.1
    severity: MEDIUM
    summary: Use-of-uninitialized-value in ycck_cmyk_convert
    published: 2020-07-14T22:13:44.357655Z
    affects: release-qpdf-10.0.0, release-qpdf-10.0.1, release-qpdf-9.0.0, release-qpdf-9.0.1, release-qpdf-9.0.2, release-qpdf-9.1.0, release-qpdf-9.1.1, release-qpdf-9.1.rc1
    references: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18732



    package: qpdf
    ftp version: 9.1.1
    severity: MEDIUM
    summary: Use-of-uninitialized-value in deflate_slow
    published: 2020-07-14T22:13:46.996334Z
    affects: release-qpdf-10.0.0, release-qpdf-10.0.1, release-qpdf-9.0.0, release-qpdf-9.0.1, release-qpdf-9.0.2, release-qpdf-9.1.0, release-qpdf-9.1.1, release-qpdf-9.1.rc1
    references: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18745



    package: qpdf
    ftp version: 9.1.1
    severity: MEDIUM
    summary: Use-of-uninitialized-value in QPDFTokenizer::isSpace
    published: 2020-07-14T22:13:49.052148Z
    affects: release-qpdf-10.0.0, release-qpdf-10.0.1, release-qpdf-9.0.0, release-qpdf-9.0.1, release-qpdf-9.0.2, release-qpdf-9.1.0, release-qpdf-9.1.1, release-qpdf-9.1.rc1
    references: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20391



    package: roundup
    ftp version: 1.4.8
    severity:
    summary: Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.14 allows remote attackers to inject arbitrary web script or HTML via the template argument to the /issue program.
    published: 2010-09-24T19:00:00Z
    affects: 0.5.9, 0.6.11, 0.6.8, 0.6.9, 0.7.0, 0.7.0b3, 0.7.1, 0.7.11, 0.7.12, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.7, 0.7.8, 0.7.9, 0.8.0, 0.8.0b1, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.9.0b1, 1.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.2, 1.4.3, 1.4.4, 1.4.5.1, 1.4.6, 1.4.7, 1.4.8, 1.4.9
    references: http://lists.fedoraproject.org/pipermail/package-announce/2010-September/048221.html http://www.securityfocus.com/bid/41326 http://bugs.gentoo.org/show_bug.cgi?id=326395 https://bugzilla.redhat.com/show_bug.cgi?id=610861 http://lists.fedoraproject.org/pipermail/package-announce/2010-September/048018.html http://roundup.svn.sourceforge.net/viewvc/roundup?view=revision&revision=4486 http://issues.roundup-tracker.org/issue2550654 http://sourceforge.net/mailarchive/message.php?msg_name=AANLkTimIYtyRzTAReGmTSCEqPYBvwkkxrP6YKrdVm_nU%40mail.gmail.com http://secunia.com/advisories/41585 http://www.openwall.com/lists/oss-security/2010/07/02/12 http://lists.fedoraproject.org/pipermail/package-announce/2010-September/048061.html http://www.openwall.com/lists/oss-security/2010/07/02/3 http://roundup.svn.sourceforge.net/viewvc/roundup/roundup/trunk/roundup/cgi/client.py?r1=4486&r2=4485&pathrev=4486 http://secunia.com/advisories/40433



    package: roundup
    ftp version: 1.4.8
    severity:
    summary: Cross-site scripting (XSS) vulnerability in the history display in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via a username, related to generating a link.
    published: 2014-04-11T15:55:00Z
    affects: 0.5.9, 0.6.11, 0.6.8, 0.6.9, 0.7.0, 0.7.0b3, 0.7.1, 0.7.11, 0.7.12, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.7, 0.7.8, 0.7.9, 0.8.0, 0.8.0b1, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.9.0b1, 1.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.4.16, 1.4.17, 1.4.18, 1.4.19, 1.4.2, 1.4.3, 1.4.4, 1.4.5.1, 1.4.6, 1.4.7, 1.4.8, 1.4.9
    references: http://issues.roundup-tracker.org/issue2550684 https://pypi.python.org/pypi/roundup/1.4.20 http://www.openwall.com/lists/oss-security/2012/11/10/2 https://bugzilla.redhat.com/show_bug.cgi?id=722672 http://www.openwall.com/lists/oss-security/2013/02/13/8 https://exchange.xforce.ibmcloud.com/vulnerabilities/84189



    package: roundup
    ftp version: 1.4.8
    severity:
    summary: Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1.
    published: 2014-04-11T15:55:00Z
    affects: 0.5.9, 0.6.11, 0.6.8, 0.6.9, 0.7.0, 0.7.0b3, 0.7.1, 0.7.11, 0.7.12, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.7, 0.7.8, 0.7.9, 0.8.0, 0.8.0b1, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.9.0b1, 1.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.4.16, 1.4.17, 1.4.18, 1.4.19, 1.4.2, 1.4.3, 1.4.4, 1.4.5.1, 1.4.6, 1.4.7, 1.4.8, 1.4.9
    references: http://www.openwall.com/lists/oss-security/2013/02/13/8 http://issues.roundup-tracker.org/issue2550711 http://www.openwall.com/lists/oss-security/2012/11/10/2 https://pypi.python.org/pypi/roundup/1.4.20 https://bugzilla.redhat.com/show_bug.cgi?id=722672 https://exchange.xforce.ibmcloud.com/vulnerabilities/84190



    package: roundup
    ftp version: 1.4.8
    severity:
    summary: Cross-site scripting (XSS) vulnerability in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the otk parameter.
    published: 2014-04-10T20:29:00Z
    affects: 0.5.9, 0.6.11, 0.6.8, 0.6.9, 0.7.0, 0.7.0b3, 0.7.1, 0.7.11, 0.7.12, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.7, 0.7.8, 0.7.9, 0.8.0, 0.8.0b1, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.9.0b1, 1.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.4.16, 1.4.17, 1.4.18, 1.4.19, 1.4.2, 1.4.3, 1.4.4, 1.4.5.1, 1.4.6, 1.4.7, 1.4.8, 1.4.9
    references: http://www.openwall.com/lists/oss-security/2012/11/10/2 http://www.openwall.com/lists/oss-security/2013/02/13/8 https://bugzilla.redhat.com/show_bug.cgi?id=722672 https://exchange.xforce.ibmcloud.com/vulnerabilities/84191



    package: roundup
    ftp version: 1.4.8
    severity:
    summary: schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details.
    published: 2016-04-13T14:59:00Z
    affects: 0.5.9, 0.6.11, 0.6.8, 0.6.9, 0.7.0, 0.7.0b3, 0.7.1, 0.7.11, 0.7.12, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.7, 0.7.8, 0.7.9, 0.8.0, 0.8.0b1, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.9.0b1, 1.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.4.16, 1.4.17, 1.4.18, 1.4.19, 1.4.2, 1.4.20, 1.4.21, 1.4.3, 1.4.4, 1.4.5.1, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.5.0
    references: http://hg.code.sf.net/p/roundup/code/rev/a403c29ffaf9 https://sourceforge.net/p/roundup/code/ci/tip/tree/CHANGES.txt http://www.debian.org/security/2016/dsa-3502



    package: roundup
    ftp version: 1.4.8
    severity:
    summary: Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors.
    published: 2019-04-06T20:29:00Z
    affects: 0.5.9, 0.6.11, 0.6.8, 0.6.9, 0.7.0, 0.7.0b3, 0.7.1, 0.7.11, 0.7.12, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.7, 0.7.8, 0.7.9, 0.8.0, 0.8.0b1, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.9.0b1, 1.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.4.16, 1.4.17, 1.4.18, 1.4.19, 1.4.2, 1.4.20, 1.4.21, 1.4.3, 1.4.4, 1.4.5.1, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 2.0.0alpha0, 2.0.0beta0
    references: https://www.openwall.com/lists/oss-security/2019/04/05/1 https://github.com/python/bugs.python.org/issues/34 https://bugs.python.org/issue36391 http://www.openwall.com/lists/oss-security/2019/04/07/1 https://lists.debian.org/debian-lts-announce/2019/04/msg00009.html



    package: roundup
    ftp version: 1.4.8
    severity:
    summary: Multiple cross-site scripting (XSS) vulnerabilities in Roundup before 1.4.20 allow remote attackers to inject arbitrary web script or HTML via the (1) @ok_message or (2) @error_message parameter to issue*.
    published: 2020-01-30T21:15:00Z
    affects: 0.5.9, 0.6.11, 0.6.8, 0.6.9, 0.7.0, 0.7.0b3, 0.7.1, 0.7.11, 0.7.12, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.7, 0.7.8, 0.7.9, 0.8.0, 0.8.0b1, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.9.0b1, 1.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.4.16, 1.4.17, 1.4.18, 1.4.19, 1.4.2, 1.4.3, 1.4.4, 1.4.5.1, 1.4.6, 1.4.7, 1.4.8, 1.4.9
    references: https://pypi.python.org/pypi/roundup/1.4.20 http://www.openwall.com/lists/oss-security/2013/02/13/8 http://www.openwall.com/lists/oss-security/2012/11/10/2 https://bugzilla.redhat.com/show_bug.cgi?id=722672 http://issues.roundup-tracker.org/issue2550724



    package: scapy
    ftp version: 2.2.0
    severity:
    summary: scapy 2.4.0 is affected by: Denial of Service. The impact is: infinite loop, resource consumption and program unresponsive. The component is: _RADIUSAttrPacketListField.getfield(self..). The attack vector is: over the network or in a pcap. both work.
    published: 2019-07-19T16:15:00Z
    affects: 2.2.0-dev, 2.3.1, 2.3.2, 2.3.3, 2.4rc2, 2.4.0rc3, 2.4.0rc4, 2.4.0rc5, 2.4.0
    references: https://github.com/secdev/scapy/pull/1409/files#diff-441eff981e466959968111fc6314fe93L1058 https://github.com/secdev/scapy/pull/1409 https://www.imperva.com/blog/scapy-sploit-python-network-tool-is-vulnerable-to-denial-of-service-dos-attack-cve-pending/ http://www.securityfocus.com/bid/106674 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T46XW4S5BCA3VV3JT3C5Q6LBEXSIACLN/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42NRPMC3NS2QVFNIXYP6WV2T3LMLLY7E/



    package: scapy
    ftp version: 2.2.0
    severity:
    summary: scapy 2.4.0 is affected by: Denial of Service. The impact is: infinite loop, resource consumption and program unresponsive. The component is: _RADIUSAttrPacketListField.getfield(self..). The attack vector is: over the network or in a pcap. both work.
    published: 2019-07-19T16:15:00Z
    affects: 2.2.0-dev, 2.3.1, 2.3.2, 2.3.3, 2.4rc2, 2.4.0rc3, 2.4.0rc4, 2.4.0rc5, 2.4.0
    references: https://github.com/secdev/scapy/pull/1409/files#diff-441eff981e466959968111fc6314fe93L1058 https://github.com/secdev/scapy/pull/1409 https://www.imperva.com/blog/scapy-sploit-python-network-tool-is-vulnerable-to-denial-of-service-dos-attack-cve-pending/ http://www.securityfocus.com/bid/106674 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T46XW4S5BCA3VV3JT3C5Q6LBEXSIACLN/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42NRPMC3NS2QVFNIXYP6WV2T3LMLLY7E/



    multiprocessing.pool.RemoteTraceback:
    """
    Traceback (most recent call last):
    File "/usr/lib64/python3.9/multiprocessing/pool.py", line 125, in worker
    result = (True, func(*args, **kwds))
    File "/usr/lib64/python3.9/multiprocessing/pool.py", line 51, in starmapstar
    return list(itertools.starmap(args[0], args[1]))
    File "/usr/share/python3.9/site-packages/ratelimit/decorators.py", line 113, in wrapper
    return func(*args, **kargs)
    File "/usr/share/python3.9/site-packages/ratelimit/decorators.py", line 80, in wrapper
    return func(*args, **kargs)
    File "/home/pld/admins/th/bin/query-vuln.py", line 50, in get_status
    vuln['ecosystem_specific']['severity'] if 'ecosystem_specific' in vuln else '',
    KeyError: 'severity'
    """

    The above exception was the direct cause of the following exception:

    Traceback (most recent call last):
    File "/home/pld/admins/th/bin/query-vuln.py", line 79, in
    run_worker(get_status, p)
    File "/home/pld/admins/th/bin/query-vuln.py", line 63, in run_worker
    ret = pool.starmap(function, args)
    File "/usr/lib64/python3.9/multiprocessing/pool.py", line 372, in starmap
    return self._map_async(func, iterable, starmapstar, chunksize).get()
    File "/usr/lib64/python3.9/multiprocessing/pool.py", line 771, in get
    raise self._value
    KeyError: 'severity'
    package: supervisor
    ftp version: 3.0
    severity:
    summary: The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.
    published: 2017-08-23T14:29:00Z
    affects: 2.0, 2.0b1, 2.1, 2.1b1, 2.2b1, 3.0, 3.0a1, 3.0a10, 3.0a11, 3.0a12, 3.0a2, 3.0a3, 3.0a4, 3.0a5, 3.0a6, 3.0a7, 3.0a8, 3.0a9, 3.0b1, 3.0b2, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.3.0, 3.3.1, 3.3.2, a3
    references: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXGWOJNSWWK2TTWQJZJUP66FLFIWDMBQ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTPDZV4ZRICDYAYZVUHSYZAYDLRMG2IM/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMSCGMM477N64Z3BM34RWYBGSLK466B/ https://github.com/Supervisor/supervisor/issues/964 https://github.com/Supervisor/supervisor/blob/3.3.3/CHANGES.txt https://github.com/Supervisor/supervisor/blob/3.2.4/CHANGES.txt https://github.com/Supervisor/supervisor/blob/3.1.4/CHANGES.txt https://github.com/Supervisor/supervisor/blob/3.0.1/CHANGES.txt http://www.debian.org/security/2017/dsa-3942 https://security.gentoo.org/glsa/201709-06 https://www.exploit-db.com/exploits/42779/ https://access.redhat.com/errata/RHSA-2017:3005



    package: supervisor
    ftp version: 3.0
    severity:
    summary: ** DISPUTED ** In Supervisor through 4.0.2, an unauthenticated user can read log files or restart a service. Note: The maintainer responded that the affected component, inet_http_server, is not enabled by default but if the user enables it and does not set a password, Supervisor logs a warning message. The maintainer indicated the ability to run an open server will not be removed but an additional warning was added to the documentation.
    published: 2019-09-10T17:15:00Z
    affects: a3, 2.0b1, 2.0, 2.1b1, 2.1, 2.2b1, 3.0a1, 3.0a2, 3.0a3, 3.0a4, 3.0a5, 3.0a6, 3.0a7, 3.0a8, 3.0a9, 3.0a10, 3.0a11, 3.0a12, 3.0b1, 3.0b2, 3.0, 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.0, 4.0.0, 4.0.1, 4.0.2
    references: https://github.com/Supervisor/supervisor/commit/4e334d9cf2a1daff685893e35e72398437df3dcb https://github.com/Supervisor/supervisor/issues/1245 http://supervisord.org/configuration.html#inet-http-server-section-settings



    package: supervisor
    ftp version: 3.0
    severity:
    summary: ** DISPUTED ** In Supervisor through 4.0.2, an unauthenticated user can read log files or restart a service. Note: The maintainer responded that the affected component, inet_http_server, is not enabled by default but if the user enables it and does not set a password, Supervisor logs a warning message. The maintainer indicated the ability to run an open server will not be removed but an additional warning was added to the documentation.
    published: 2019-09-10T17:15:00Z
    affects: a3, 2.0b1, 2.0, 2.1b1, 2.1, 2.2b1, 3.0a1, 3.0a2, 3.0a3, 3.0a4, 3.0a5, 3.0a6, 3.0a7, 3.0a8, 3.0a9, 3.0a10, 3.0a11, 3.0a12, 3.0b1, 3.0b2, 3.0, 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.0, 4.0.0, 4.0.1, 4.0.2
    references: https://github.com/Supervisor/supervisor/commit/4e334d9cf2a1daff685893e35e72398437df3dcb https://github.com/Supervisor/supervisor/issues/1245 http://supervisord.org/configuration.html#inet-http-server-section-settings



    package: unoconv
    ftp version: 0.8.2
    severity:
    summary: The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
    published: 2019-10-21T23:15:00Z
    affects: 0.6, 0.8.2
    references: https://github.com/unoconv/unoconv/pull/510 https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/