Open xyzeva opened 11 months ago
Mark figma-linux as vulnerable to this CVE in #261404 until fix is available.
Maintainer will update on next release see: https://github.com/Figma-Linux/figma-linux/issues/341#issuecomment-1764332718
I suggest marking pulsar, as vulnerable in #262376 because it uses a very outdated version of electron and doesn't seem to plan to bundle a new version anytime soon.
Update pycharm here: #262418
And idea was updated by this pr: #260965
Have opened a draft pr fixing nwjs #262424, but I still need to do some more testing to ensure nothing breaks.
Edit Corrected the pr, so it points to the pr...
The current stable version of Zotero, based on Firefox 60 as discussed earlier here, is not going to get patched from what I can tell, so #262808 marks it as vulnerable until Zotero 7 hits GA.
The current stable version of Zotero, based on Firefox 60 as discussed earlier here, is not going to get patched from what I can tell, so #262808 marks it as vulnerable until Zotero 7 hits GA.
Hi, as much as I would love to see Zotero 7 come to GA, it seems Zotero 6 has been patched: "Changes in 6.0.30 (November 2, 2023), [Security] Disabled libvpx support (CVE-2023-5217)" (https://www.zotero.org/support/changelog).
The current stable version of Zotero, based on Firefox 60 as discussed earlier here, is not going to get patched from what I can tell, so #262808 marks it as vulnerable until Zotero 7 hits GA.
Hi, as much as I would love to see Zotero 7 come to GA, it seems Zotero 6 has been patched: "Changes in 6.0.30 (November 2, 2023), [Security] Disabled libvpx support (CVE-2023-5217)" (https://www.zotero.org/support/changelog).
Hi, for those interested, I managed to package Zotero 7 built from source in https://github.com/camillemndn/nixos-config/tree/main/pkgs/applications/office/zotero, but I could not upstream it since it is based on Firefox 102 which is already deprecated...
Opened https://github.com/NixOS/nixpkgs/pull/266033 to update Zotero 6
Hi, for those interested, I managed to package Zotero 7 built from source in https://github.com/camillemndn/nixos-config/tree/main/pkgs/applications/office/zotero, but I could not upstream it since it is based on Firefox 102 which is already deprecated...
Good job building Zotero 7 from source. Zotero seems like a Heath Robinson machine and the only way to distribute is is through its prebuilt which is what the Zotero 6 nixos package is doing I understand. I don't know why they need to vendor Firefox but that's another story.
CVE-2023-5217 is a heap buffer overflow in libvpx's VP8 encoder, as many things such as electron and more are being tracked in this issue, so we can fix them in nixpkgs.
This vulnerability is yet to be rated, but we can assume (as its a heap buffer overflow), that it might be a big deal.
Current status
We currently have patched the
libvpx
package with #257941, vendored dependencies are tracked below.How to help
Task list
[ ] Vendoring
This task list may or may not be complete, if you think we are missing something, please feel free to cc me! Here is the scan ran by @delroth for vulnerable dependencices