[automatic] Publish 4 advisories for 4 packages

advisories/published/2025/JLSEC-0000-mnsduzjua-1rn2jf4.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mnsduzjua-1rn2jf4"
+modified = 2025-10-25T03:22:31.090Z
+upstream = ["CVE-2023-4863"]
+references = ["http://www.openwall.com/lists/oss-security/2023/09/21/4", "http://www.openwall.com/lists/oss-security/2023/09/22/1", "http://www.openwall.com/lists/oss-security/2023/09/22/3", "http://www.openwall.com/lists/oss-security/2023/09/22/4", "http://www.openwall.com/lists/oss-security/2023/09/22/5", "http://www.openwall.com/lists/oss-security/2023/09/22/6", "http://www.openwall.com/lists/oss-security/2023/09/22/7", "http://www.openwall.com/lists/oss-security/2023/09/22/8", "http://www.openwall.com/lists/oss-security/2023/09/26/1", "http://www.openwall.com/lists/oss-security/2023/09/26/7", "http://www.openwall.com/lists/oss-security/2023/09/28/1", "http://www.openwall.com/lists/oss-security/2023/09/28/2", "http://www.openwall.com/lists/oss-security/2023/09/28/4", "https://adamcaudill.com/2023/09/14/whose-cve-is-it-anyway/", "https://blog.isosceles.com/the-webp-0day/", "https://bugzilla.suse.com/show_bug.cgi?id=1215231", "https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html", "https://crbug.com/1479274", "https://en.bandisoft.com/honeyview/history/", "https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a", "https://github.com/webmproject/libwebp/releases/tag/v1.3.2", "https://lists.debian.org/debian-lts-announce/2023/09/msg00015.html", "https://lists.debian.org/debian-lts-announce/2023/09/msg00016.html", "https://lists.debian.org/debian-lts-announce/2023/09/msg00017.html", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T655QF7CQ3DYAMPFV7IECQYGDEUIVVT/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYYKLG6CRGEDTNRBSU26EEWAO6D6U645/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZDGWWMJREPAGKWCJKSCM4WYLANSKIFX/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYZV7TMKF4QHZ54SFJX54BDN52VHGGCX/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHOLML7N2G5KCAZXFWC5IDFFHSQS5SDB/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863", "https://news.ycombinator.com/item?id=37478403", "https://security-tracker.debian.org/tracker/CVE-2023-4863", "https://security.gentoo.org/glsa/202309-05", "https://security.gentoo.org/glsa/202401-10", "https://security.netapp.com/advisory/ntap-20230929-0011/", "https://sethmlarson.dev/security-developer-in-residence-weekly-report-16", "https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/", "https://www.bentley.com/advisories/be-2023-0001/", "https://www.bleepingcomputer.com/news/google/google-fixes-another-chrome-zero-day-bug-exploited-in-attacks/", "https://www.debian.org/security/2023/dsa-5496", "https://www.debian.org/security/2023/dsa-5497", "https://www.debian.org/security/2023/dsa-5498", "https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/", "http://www.openwall.com/lists/oss-security/2023/09/21/4", "http://www.openwall.com/lists/oss-security/2023/09/22/1", "http://www.openwall.com/lists/oss-security/2023/09/22/3", "http://www.openwall.com/lists/oss-security/2023/09/22/4", "http://www.openwall.com/lists/oss-security/2023/09/22/5", "http://www.openwall.com/lists/oss-security/2023/09/22/6", "http://www.openwall.com/lists/oss-security/2023/09/22/7", "http://www.openwall.com/lists/oss-security/2023/09/22/8", "http://www.openwall.com/lists/oss-security/2023/09/26/1", "http://www.openwall.com/lists/oss-security/2023/09/26/7", "http://www.openwall.com/lists/oss-security/2023/09/28/1", "http://www.openwall.com/lists/oss-security/2023/09/28/2", "http://www.openwall.com/lists/oss-security/2023/09/28/4", "https://adamcaudill.com/2023/09/14/whose-cve-is-it-anyway/", "https://blog.isosceles.com/the-webp-0day/", "https://bugzilla.suse.com/show_bug.cgi?id=1215231", "https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html", "https://crbug.com/1479274", "https://en.bandisoft.com/honeyview/history/", "https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a", "https://github.com/webmproject/libwebp/releases/tag/v1.3.2", "https://lists.debian.org/debian-lts-announce/2023/09/msg00015.html", "https://lists.debian.org/debian-lts-announce/2023/09/msg00016.html", "https://lists.debian.org/debian-lts-announce/2023/09/msg00017.html", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T655QF7CQ3DYAMPFV7IECQYGDEUIVVT/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYYKLG6CRGEDTNRBSU26EEWAO6D6U645/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZDGWWMJREPAGKWCJKSCM4WYLANSKIFX/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYZV7TMKF4QHZ54SFJX54BDN52VHGGCX/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHOLML7N2G5KCAZXFWC5IDFFHSQS5SDB/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863", "https://news.ycombinator.com/item?id=37478403", "https://security-tracker.debian.org/tracker/CVE-2023-4863", "https://security.gentoo.org/glsa/202309-05", "https://security.gentoo.org/glsa/202401-10", "https://security.netapp.com/advisory/ntap-20230929-0011/", "https://sethmlarson.dev/security-developer-in-residence-weekly-report-16", "https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/", "https://www.bentley.com/advisories/be-2023-0001/", "https://www.bleepingcomputer.com/news/google/google-fixes-another-chrome-zero-day-bug-exploited-in-attacks/", "https://www.debian.org/security/2023/dsa-5496", "https://www.debian.org/security/2023/dsa-5497", "https://www.debian.org/security/2023/dsa-5498", "https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/", "https://www.vicarius.io/vsociety/posts/zero-day-webp-vulnerability-cve-2023-4863", "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-4863"]
+
+[[affected]]
+pkg = "libwebp_jll"
+ranges = ["< 1.3.2+0"]
+
+[[jlsec_sources]]
+id = "CVE-2023-4863"
+imported = 2025-10-25T03:22:31.071Z
+modified = 2025-10-24T14:07:28.793Z
+published = 2023-09-12T15:15:24.327Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-4863"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2023-4863"
+```
+
+# Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a...
+
+Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
+

advisories/published/2025/JLSEC-0000-mnsduzk5d-1r1ak9d.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mnsduzk5d-1r1ak9d"
+modified = 2025-10-25T03:22:31.489Z
+upstream = ["CVE-2023-5217"]
+references = ["http://seclists.org/fulldisclosure/2023/Oct/12", "http://seclists.org/fulldisclosure/2023/Oct/16", "http://www.openwall.com/lists/oss-security/2023/09/28/5", "http://www.openwall.com/lists/oss-security/2023/09/28/6", "http://www.openwall.com/lists/oss-security/2023/09/29/1", "http://www.openwall.com/lists/oss-security/2023/09/29/11", "http://www.openwall.com/lists/oss-security/2023/09/29/12", "http://www.openwall.com/lists/oss-security/2023/09/29/14", "http://www.openwall.com/lists/oss-security/2023/09/29/2", "http://www.openwall.com/lists/oss-security/2023/09/29/7", "http://www.openwall.com/lists/oss-security/2023/09/29/9", "http://www.openwall.com/lists/oss-security/2023/09/30/1", "http://www.openwall.com/lists/oss-security/2023/09/30/2", "http://www.openwall.com/lists/oss-security/2023/09/30/3", "http://www.openwall.com/lists/oss-security/2023/09/30/4", "http://www.openwall.com/lists/oss-security/2023/09/30/5", "http://www.openwall.com/lists/oss-security/2023/10/01/1", "http://www.openwall.com/lists/oss-security/2023/10/01/2", "http://www.openwall.com/lists/oss-security/2023/10/01/5", "http://www.openwall.com/lists/oss-security/2023/10/02/6", "http://www.openwall.com/lists/oss-security/2023/10/03/11", "https://arstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-software/", "https://bugzilla.redhat.com/show_bug.cgi?id=2241191", "https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html", "https://crbug.com/1486441", "https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590", "https://github.com/webmproject/libvpx/commit/af6dedd715f4307669366944cca6e0417b290282", "https://github.com/webmproject/libvpx/releases/tag/v1.13.1", "https://github.com/webmproject/libvpx/tags", "https://lists.debian.org/debian-lts-announce/2023/09/msg00038.html", "https://lists.debian.org/debian-lts-announce/2023/10/msg00001.html", "https://lists.debian.org/debian-lts-announce/2023/10/msg00015.html", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MFWDFJSSIFKWKNOCTQCFUNZWAXUCSS4/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/55YVCZNAVY3Y5E4DWPWMX2SPKZ2E5SOV/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AY642Z6JZODQJE7Z62CFREVUHEGCXGPD/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BCVSHVX2RFBU3RMCUFSATVQEJUFD4Q63/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWEJYS5NC7KVFYU3OAMPKQDYN6JQGVK6/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TE7F54W5O5RS4ZMAAC7YK3CZWQXIDSKB/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/", "https://pastebin.com/TdkC4pDv", "https://security-tracker.debian.org/tracker/CVE-2023-5217", "https://security.gentoo.org/glsa/202310-04", "https://security.gentoo.org/glsa/202401-34", "https://stackdiary.com/google-discloses-a-webm-vp8-bug-tracked-as-cve-2023-5217/", "https://support.apple.com/kb/HT213961", "https://support.apple.com/kb/HT213972", "https://twitter.com/maddiestone/status/1707163313711497266", "https://www.debian.org/security/2023/dsa-5508", "https://www.debian.org/security/2023/dsa-5509", "https://www.debian.org/security/2023/dsa-5510", "https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/", "https://www.openwall.com/lists/oss-security/2023/09/28/5", "http://seclists.org/fulldisclosure/2023/Oct/12", "http://seclists.org/fulldisclosure/2023/Oct/16", "http://www.openwall.com/lists/oss-security/2023/09/28/5", "http://www.openwall.com/lists/oss-security/2023/09/28/6", "http://www.openwall.com/lists/oss-security/2023/09/29/1", "http://www.openwall.com/lists/oss-security/2023/09/29/11", "http://www.openwall.com/lists/oss-security/2023/09/29/12", "http://www.openwall.com/lists/oss-security/2023/09/29/14", "http://www.openwall.com/lists/oss-security/2023/09/29/2", "http://www.openwall.com/lists/oss-security/2023/09/29/7", "http://www.openwall.com/lists/oss-security/2023/09/29/9", "http://www.openwall.com/lists/oss-security/2023/09/30/1", "http://www.openwall.com/lists/oss-security/2023/09/30/2", "http://www.openwall.com/lists/oss-security/2023/09/30/3", "http://www.openwall.com/lists/oss-security/2023/09/30/4", "http://www.openwall.com/lists/oss-security/2023/09/30/5", "http://www.openwall.com/lists/oss-security/2023/10/01/1", "http://www.openwall.com/lists/oss-security/2023/10/01/2", "http://www.openwall.com/lists/oss-security/2023/10/01/5", "http://www.openwall.com/lists/oss-security/2023/10/02/6", "http://www.openwall.com/lists/oss-security/2023/10/03/11", "https://arstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-software/", "https://bugzilla.redhat.com/show_bug.cgi?id=2241191", "https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html", "https://crbug.com/1486441", "https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590", "https://github.com/webmproject/libvpx/commit/af6dedd715f4307669366944cca6e0417b290282", "https://github.com/webmproject/libvpx/releases/tag/v1.13.1", "https://github.com/webmproject/libvpx/tags", "https://lists.debian.org/debian-lts-announce/2023/09/msg00038.html", "https://lists.debian.org/debian-lts-announce/2023/10/msg00001.html", "https://lists.debian.org/debian-lts-announce/2023/10/msg00015.html", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MFWDFJSSIFKWKNOCTQCFUNZWAXUCSS4/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/55YVCZNAVY3Y5E4DWPWMX2SPKZ2E5SOV/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AY642Z6JZODQJE7Z62CFREVUHEGCXGPD/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BCVSHVX2RFBU3RMCUFSATVQEJUFD4Q63/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWEJYS5NC7KVFYU3OAMPKQDYN6JQGVK6/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TE7F54W5O5RS4ZMAAC7YK3CZWQXIDSKB/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/", "https://pastebin.com/TdkC4pDv", "https://security-tracker.debian.org/tracker/CVE-2023-5217", "https://security.gentoo.org/glsa/202310-04", "https://security.gentoo.org/glsa/202401-34", "https://stackdiary.com/google-discloses-a-webm-vp8-bug-tracked-as-cve-2023-5217/", "https://support.apple.com/kb/HT213961", "https://support.apple.com/kb/HT213972", "https://twitter.com/maddiestone/status/1707163313711497266", "https://www.debian.org/security/2023/dsa-5508", "https://www.debian.org/security/2023/dsa-5509", "https://www.debian.org/security/2023/dsa-5510", "https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/", "https://www.openwall.com/lists/oss-security/2023/09/28/5", "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-5217"]
+
+[[affected]]
+pkg = "LibVPX_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2023-5217"
+imported = 2025-10-25T03:22:31.489Z
+modified = 2025-10-24T14:07:24.923Z
+published = 2023-09-28T16:15:10.980Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-5217"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2023-5217"
+```
+
+# Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1...
+
+Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
+

advisories/published/2025/JLSEC-0000-mnsdv01fw-11myxy0.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mnsdv01fw-11myxy0"
+modified = 2025-10-25T03:22:53.900Z
+upstream = ["CVE-2025-48384"]
+references = ["https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9", "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384"]
+
+[[affected]]
+pkg = "Git_jll"
+ranges = ["< 2.50.1+0"]
+
+[[jlsec_sources]]
+id = "CVE-2025-48384"
+imported = 2025-10-25T03:22:53.900Z
+modified = 2025-10-24T13:58:30.817Z
+published = 2025-07-08T19:15:42.800Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-48384"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-48384"
+```
+
+# Git is a fast, scalable, distributed revision control system with an unusually rich command set that...
+
+Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
+

advisories/published/2025/JLSEC-0000-mnsdv09yi-1r3vfev.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mnsdv09yi-1r3vfev"
+modified = 2025-10-25T03:23:04.938Z
+upstream = ["CVE-2025-62171"]
+references = ["https://github.com/ImageMagick/ImageMagick/commit/cea1693e2ded51b4cc91c70c54096cbed1691c00", "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9pp9-cfwx-54rm"]
+
+[[affected]]
+pkg = "ImageMagick_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2025-62171"
+imported = 2025-10-25T03:23:04.938Z
+modified = 2025-10-24T17:06:27.163Z
+published = 2025-10-17T17:15:49.197Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-62171"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-62171"
+```
+
+# ImageMagick is an open source software suite for displaying, converting, and editing raster image fi...
+
+ImageMagick is an open source software suite for displaying, converting, and editing raster image files. In ImageMagick versions prior to 7.1.2-7 and 6.9.13-32, an integer overflow vulnerability exists in the BMP decoder on 32-bit systems. The vulnerability occurs in coders/bmp.c when calculating the extent value by multiplying image columns by bits per pixel. On 32-bit systems with size_t of 4 bytes, a malicious BMP file with specific dimensions can cause this multiplication to overflow and wrap to zero. The overflow check added to address CVE-2025-57803 is placed after the overflow occurs, making it ineffective. A specially crafted 58-byte BMP file with width set to 536,870,912 and 32 bits per pixel can trigger this overflow, causing the bytes_per_line calculation to become zero. This vulnerability only affects 32-bit builds of ImageMagick where default resource limits for width, height, and area have been manually increased beyond their defaults. 64-bit systems with size_t of 8 bytes are not vulnerable, and systems using default ImageMagick resource limits are not vulnerable. The vulnerability is fixed in versions 7.1.2-7 and 6.9.13-32.
+