[automatic] Publish 5 advisories for 7 packages

advisories/published/2025/JLSEC-0000-mnsaq079h-1lwmywk.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mnsaq079h-1lwmywk"
+modified = 2025-10-22T22:39:44.837Z
+upstream = ["CVE-2016-9840"]
+references = ["http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html", "http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html", "http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html", "http://www.openwall.com/lists/oss-security/2016/12/05/21", "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/95131", "http://www.securitytracker.com/id/1039427", "https://access.redhat.com/errata/RHSA-2017:1220", "https://access.redhat.com/errata/RHSA-2017:1221", "https://access.redhat.com/errata/RHSA-2017:1222", "https://access.redhat.com/errata/RHSA-2017:2999", "https://access.redhat.com/errata/RHSA-2017:3046", "https://access.redhat.com/errata/RHSA-2017:3047", "https://access.redhat.com/errata/RHSA-2017:3453", "https://bugzilla.redhat.com/show_bug.cgi?id=1402345", "https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0", "https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html", "https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html", "https://security.gentoo.org/glsa/201701-56", "https://security.gentoo.org/glsa/202007-54", "https://support.apple.com/HT208112", "https://support.apple.com/HT208113", "https://support.apple.com/HT208115", "https://support.apple.com/HT208144", "https://usn.ubuntu.com/4246-1/", "https://usn.ubuntu.com/4292-1/", "https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib", "https://wiki.mozilla.org/images/0/09/Zlib-report.pdf", "https://www.oracle.com/security-alerts/cpujul2020.html", "http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html", "http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html", "http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html", "http://www.openwall.com/lists/oss-security/2016/12/05/21", "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/95131", "http://www.securitytracker.com/id/1039427", "https://access.redhat.com/errata/RHSA-2017:1220", "https://access.redhat.com/errata/RHSA-2017:1221", "https://access.redhat.com/errata/RHSA-2017:1222", "https://access.redhat.com/errata/RHSA-2017:2999", "https://access.redhat.com/errata/RHSA-2017:3046", "https://access.redhat.com/errata/RHSA-2017:3047", "https://access.redhat.com/errata/RHSA-2017:3453", "https://bugzilla.redhat.com/show_bug.cgi?id=1402345", "https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0", "https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html", "https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html", "https://security.gentoo.org/glsa/201701-56", "https://security.gentoo.org/glsa/202007-54", "https://support.apple.com/HT208112", "https://support.apple.com/HT208113", "https://support.apple.com/HT208115", "https://support.apple.com/HT208144", "https://usn.ubuntu.com/4246-1/", "https://usn.ubuntu.com/4292-1/", "https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib", "https://wiki.mozilla.org/images/0/09/Zlib-report.pdf", "https://www.oracle.com/security-alerts/cpujul2020.html"]
+
+[[affected]]
+pkg = "boost_jll"
+ranges = ["< 1.79.0+0"]
+
+[[jlsec_sources]]
+id = "CVE-2016-9840"
+imported = 2025-10-22T22:39:44.837Z
+modified = 2025-04-20T01:37:25.860Z
+published = 2017-05-23T04:29:01.667Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2016-9840"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2016-9840"
+```
+
+# inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by lever...
+
+inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
+

advisories/published/2025/JLSEC-0000-mnsaq07a4-v4p6nq.md

@@ -0,0 +1,33 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mnsaq07a4-v4p6nq"
+modified = 2025-10-22T22:39:44.860Z
+upstream = ["CVE-2018-25032"]
+references = ["http://seclists.org/fulldisclosure/2022/May/33", "http://seclists.org/fulldisclosure/2022/May/35", "http://seclists.org/fulldisclosure/2022/May/38", "http://www.openwall.com/lists/oss-security/2022/03/25/2", "http://www.openwall.com/lists/oss-security/2022/03/26/1", "https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf", "https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531", "https://github.com/madler/zlib/compare/v1.2.11...v1.2.12", "https://github.com/madler/zlib/issues/605", "https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html", "https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html", "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/", "https://security.gentoo.org/glsa/202210-42", "https://security.netapp.com/advisory/ntap-20220526-0009/", "https://security.netapp.com/advisory/ntap-20220729-0004/", "https://support.apple.com/kb/HT213255", "https://support.apple.com/kb/HT213256", "https://support.apple.com/kb/HT213257", "https://www.debian.org/security/2022/dsa-5111", "https://www.openwall.com/lists/oss-security/2022/03/24/1", "https://www.openwall.com/lists/oss-security/2022/03/28/1", "https://www.openwall.com/lists/oss-security/2022/03/28/3", "https://www.oracle.com/security-alerts/cpujul2022.html", "http://seclists.org/fulldisclosure/2022/May/33", "http://seclists.org/fulldisclosure/2022/May/35", "http://seclists.org/fulldisclosure/2022/May/38", "http://www.openwall.com/lists/oss-security/2022/03/25/2", "http://www.openwall.com/lists/oss-security/2022/03/26/1", "https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf", "https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531", "https://github.com/madler/zlib/compare/v1.2.11...v1.2.12", "https://github.com/madler/zlib/issues/605", "https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html", "https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html", "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/", "https://security.gentoo.org/glsa/202210-42", "https://security.netapp.com/advisory/ntap-20220526-0009/", "https://security.netapp.com/advisory/ntap-20220729-0004/", "https://support.apple.com/kb/HT213255", "https://support.apple.com/kb/HT213256", "https://support.apple.com/kb/HT213257", "https://www.debian.org/security/2022/dsa-5111", "https://www.openwall.com/lists/oss-security/2022/03/24/1", "https://www.openwall.com/lists/oss-security/2022/03/28/1", "https://www.openwall.com/lists/oss-security/2022/03/28/3", "https://www.oracle.com/security-alerts/cpujul2022.html"]
+
+[[affected]]
+pkg = "Python_jll"
+ranges = ["< 3.10.7+0"]
+[[affected]]
+pkg = "Zlib_jll"
+ranges = ["< 1.2.12+3"]
+[[affected]]
+pkg = "Openresty_jll"
+ranges = ["< 1.21.4+0"]
+[[affected]]
+pkg = "GCCBootstrap_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2018-25032"
+imported = 2025-10-22T22:39:44.860Z
+modified = 2025-08-21T20:37:11.840Z
+published = 2022-03-25T09:15:08.187Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2018-25032"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2018-25032"
+```
+
+# zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has...
+
+zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
+

advisories/published/2025/JLSEC-0000-mnsaq08r2-8ue9xh.md

@@ -0,0 +1,30 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mnsaq08r2-8ue9xh"
+modified = 2025-10-22T22:39:46.766Z
+upstream = ["CVE-2022-37434"]
+references = ["http://seclists.org/fulldisclosure/2022/Oct/37", "http://seclists.org/fulldisclosure/2022/Oct/38", "http://seclists.org/fulldisclosure/2022/Oct/41", "http://seclists.org/fulldisclosure/2022/Oct/42", "http://www.openwall.com/lists/oss-security/2022/08/05/2", "http://www.openwall.com/lists/oss-security/2022/08/09/1", "https://github.com/curl/curl/issues/9271", "https://github.com/ivd38/zlib_overflow", "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063", "https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d", "https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1", "https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764", "https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/", "https://security.netapp.com/advisory/ntap-20220901-0005/", "https://security.netapp.com/advisory/ntap-20230427-0007/", "https://support.apple.com/kb/HT213488", "https://support.apple.com/kb/HT213489", "https://support.apple.com/kb/HT213490", "https://support.apple.com/kb/HT213491", "https://support.apple.com/kb/HT213493", "https://support.apple.com/kb/HT213494", "https://www.debian.org/security/2022/dsa-5218", "http://seclists.org/fulldisclosure/2022/Oct/37", "http://seclists.org/fulldisclosure/2022/Oct/38", "http://seclists.org/fulldisclosure/2022/Oct/41", "http://seclists.org/fulldisclosure/2022/Oct/42", "http://www.openwall.com/lists/oss-security/2022/08/05/2", "http://www.openwall.com/lists/oss-security/2022/08/09/1", "https://github.com/curl/curl/issues/9271", "https://github.com/ivd38/zlib_overflow", "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063", "https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1", "https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764", "https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/", "https://security.netapp.com/advisory/ntap-20220901-0005/", "https://security.netapp.com/advisory/ntap-20230427-0007/", "https://support.apple.com/kb/HT213488", "https://support.apple.com/kb/HT213489", "https://support.apple.com/kb/HT213490", "https://support.apple.com/kb/HT213491", "https://support.apple.com/kb/HT213493", "https://support.apple.com/kb/HT213494", "https://www.debian.org/security/2022/dsa-5218", "https://github.com/curl/curl/issues/9271"]
+
+[[affected]]
+pkg = "Zlib_jll"
+ranges = ["< 1.2.13+0"]
+[[affected]]
+pkg = "Openresty_jll"
+ranges = ["< 1.27.1+0"]
+[[affected]]
+pkg = "GCCBootstrap_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2022-37434"
+imported = 2025-10-22T22:39:46.766Z
+modified = 2025-05-30T20:15:30.030Z
+published = 2022-08-05T07:15:07.240Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2022-37434"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2022-37434"
+```
+
+# zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via...
+
+zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
+

advisories/published/2025/JLSEC-0000-mnsaq09aq-3bj4s3.md

@@ -0,0 +1,30 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mnsaq09aq-3bj4s3"
+modified = 2025-10-22T22:39:47.474Z
+upstream = ["CVE-2023-45853"]
+references = ["http://www.openwall.com/lists/oss-security/2023/10/20/9", "http://www.openwall.com/lists/oss-security/2024/01/24/10", "https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356", "https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4", "https://github.com/madler/zlib/pull/843", "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "https://pypi.org/project/pyminizip/#history", "https://security.gentoo.org/glsa/202401-18", "https://security.netapp.com/advisory/ntap-20231130-0009/", "https://www.winimage.com/zLibDll/minizip.html", "http://www.openwall.com/lists/oss-security/2023/10/20/9", "http://www.openwall.com/lists/oss-security/2024/01/24/10", "https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356", "https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4", "https://github.com/madler/zlib/pull/843", "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "https://pypi.org/project/pyminizip/#history", "https://security.gentoo.org/glsa/202401-18", "https://security.netapp.com/advisory/ntap-20231130-0009/", "https://www.winimage.com/zLibDll/minizip.html"]
+
+[[affected]]
+pkg = "Zlib_jll"
+ranges = ["< 1.3.1+0"]
+[[affected]]
+pkg = "Openresty_jll"
+ranges = ["< 1.27.1+0"]
+[[affected]]
+pkg = "GCCBootstrap_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2023-45853"
+imported = 2025-10-22T22:39:47.474Z
+modified = 2024-12-20T17:41:31.237Z
+published = 2023-10-14T02:15:09.323Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-45853"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2023-45853"
+```
+
+# MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipO...
+
+MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
+

advisories/published/2025/JLSEC-0000-mnsaq09gu-uzjqs3.md

@@ -0,0 +1,30 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mnsaq09gu-uzjqs3"
+modified = 2025-10-22T22:39:47.694Z
+upstream = ["CVE-2025-0725"]
+references = ["https://curl.se/docs/CVE-2025-0725.html", "https://curl.se/docs/CVE-2025-0725.json", "https://hackerone.com/reports/2956023", "http://www.openwall.com/lists/oss-security/2025/02/05/3", "http://www.openwall.com/lists/oss-security/2025/02/06/2", "http://www.openwall.com/lists/oss-security/2025/02/06/4", "https://github.com/curl/curl/commit/76f83f0db23846e254d940ec7", "https://security.netapp.com/advisory/ntap-20250306-0009/"]
+
+[[affected]]
+pkg = "CURL_jll"
+ranges = ["< 8.13.0+0"]
+[[affected]]
+pkg = "LibCURL_jll"
+ranges = ["< 8.12.0+0"]
+
+[[jlsec_sources]]
+id = "CVE-2025-0725"
+imported = 2025-10-22T22:39:47.694Z
+modified = 2025-06-27T19:24:08.327Z
+published = 2025-02-05T10:15:22.980Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-0725"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-0725"
+```
+
+# When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with...
+
+When libcurl is asked to perform automatic gzip decompression of
+content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,
+**using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would
+make libcurl perform a buffer overflow.
+