msuiche
commented
1 year ago This package is only used in build-dependencies which is low priority and the latest version of vergen is 7.4.3 - https://github.com/rustyhorde/vergen
Open mend-for-github-com[bot] opened 1 year ago
msuiche
commented
1 year ago This package is only used in build-dependencies which is low priority and the latest version of vergen is 7.4.3 - https://github.com/rustyhorde/vergen
Found in HEAD commit: ff1328545be7a0c82f80f4b3686f867ef0be5adc
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2022-37434
### Vulnerable Libraries - libz-sys-1.1.8.crate, libgit2-sys-0.13.4+1.4.2.crate### libz-sys-1.1.8.crate
Low-level bindings to the system libz library (also known as zlib).
Library home page: https://crates.io/api/v1/crates/libz-sys/1.1.8/download
Dependency Hierarchy: - vergen-7.4.3.crate (Root Library) - git2-0.14.4.crate - libgit2-sys-0.13.4+1.4.2.crate - :x: **libz-sys-1.1.8.crate** (Vulnerable Library) ### libgit2-sys-0.13.4+1.4.2.crate
Native bindings to the libgit2 library
Library home page: https://crates.io/api/v1/crates/libgit2-sys/0.13.4+1.4.2/download
Dependency Hierarchy: - vergen-7.4.3.crate (Root Library) - git2-0.14.4.crate - :x: **libgit2-sys-0.13.4+1.4.2.crate** (Vulnerable Library)
Found in HEAD commit: ff1328545be7a0c82f80f4b3686f867ef0be5adc
Found in base branch: main
### Vulnerability Detailszlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
Publish Date: 2022-08-05
URL: CVE-2022-37434
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2018-25032
### Vulnerable Libraries - libgit2-sys-0.13.4+1.4.2.crate, libz-sys-1.1.8.crate### libgit2-sys-0.13.4+1.4.2.crate
Native bindings to the libgit2 library
Library home page: https://crates.io/api/v1/crates/libgit2-sys/0.13.4+1.4.2/download
Dependency Hierarchy: - vergen-7.4.3.crate (Root Library) - git2-0.14.4.crate - :x: **libgit2-sys-0.13.4+1.4.2.crate** (Vulnerable Library) ### libz-sys-1.1.8.crate
Low-level bindings to the system libz library (also known as zlib).
Library home page: https://crates.io/api/v1/crates/libz-sys/1.1.8/download
Dependency Hierarchy: - vergen-7.4.3.crate (Root Library) - git2-0.14.4.crate - libgit2-sys-0.13.4+1.4.2.crate - :x: **libz-sys-1.1.8.crate** (Vulnerable Library)
Found in HEAD commit: ff1328545be7a0c82f80f4b3686f867ef0be5adc
Found in base branch: main
### Vulnerability Detailszlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
Publish Date: 2022-03-25
URL: CVE-2018-25032
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-25032
Release Date: 2022-03-25
Fix Resolution: libstd-rs - 1.57.0;bioconductor-netreg - 1.13.1;tcl - 8.6.11;sudo - 1.8.32;bjam-native - 1.74.0;ccache - 4.1,3.3.4;libgit2 - 1.3.0;cmake - 3.19.5,3.7.2,3.7.0,3.22.0,3.17.3;slamdunk - 0.4.0;rsync - 3.2.1;cmake-native - 3.15.5,3.18.4,3.17.3,3.22.0,3.7.0;mentalist - 0.2.3;ghostscript - 9.55.0
WS-2020-0368
### Vulnerable Libraries - libz-sys-1.1.8.crate, libgit2-sys-0.13.4+1.4.2.crate### libz-sys-1.1.8.crate
Low-level bindings to the system libz library (also known as zlib).
Library home page: https://crates.io/api/v1/crates/libz-sys/1.1.8/download
Dependency Hierarchy: - vergen-7.4.3.crate (Root Library) - git2-0.14.4.crate - libgit2-sys-0.13.4+1.4.2.crate - :x: **libz-sys-1.1.8.crate** (Vulnerable Library) ### libgit2-sys-0.13.4+1.4.2.crate
Native bindings to the libgit2 library
Library home page: https://crates.io/api/v1/crates/libgit2-sys/0.13.4+1.4.2/download
Dependency Hierarchy: - vergen-7.4.3.crate (Root Library) - git2-0.14.4.crate - :x: **libgit2-sys-0.13.4+1.4.2.crate** (Vulnerable Library)
Found in HEAD commit: ff1328545be7a0c82f80f4b3686f867ef0be5adc
Found in base branch: main
### Vulnerability DetailsZlib in versions v0.8 to v1.2.11 is vulnerable to use-of-uninitialized-value in inflate. There are a couple of places in inflate() where UPDATE is called with state->check as its first parameter, without a guarantee that this value has been initialized (state comes from a ZALLOC in inflateInit). This causes use of uninitialized check value.
Publish Date: 2020-02-22
URL: WS-2020-0368
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0368
Release Date: 2020-02-22
Fix Resolution: cmake-native - 3.15.5;binutils-cross-testsuite - 2.35;libstd-rs - 1.57.0;gdb - 11.1,9.2;tcl - 8.6.11;sudo - 1.8.32;binutils - 2.35,2.28;ccache - 3.3.3,4.1;libgit2 - 1.3.0;cmake - 3.19.5,3.7.0,3.7.2,3.22.0,3.17.3;cmake-native - 3.17.3,3.7.0,3.22.0,3.18.4;ghostscript - 9.55.0