JuliaLang · jlsec-bot · Nov 19, 2025
diff --git a/advisories/published/2025/JLSEC-0000-mntdl67b8-1n6vaxo.md b/advisories/published/2025/JLSEC-0000-mntdl67b8-1n6vaxo.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.4"
+id = "JLSEC-0000-mntdl67b8-1n6vaxo"
+modified = 2025-11-19T03:27:27.620Z
+upstream = ["CVE-2023-51767"]
+references = ["https://access.redhat.com/security/cve/CVE-2023-51767", "https://arxiv.org/abs/2309.02545", "https://bugzilla.redhat.com/show_bug.cgi?id=2255850", "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77", "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878", "https://security.netapp.com/advisory/ntap-20240125-0006/", "https://ubuntu.com/security/CVE-2023-51767", "https://www.openwall.com/lists/oss-security/2025/09/22/1", "http://www.openwall.com/lists/oss-security/2025/09/22/1", "http://www.openwall.com/lists/oss-security/2025/09/22/2", "http://www.openwall.com/lists/oss-security/2025/09/23/1", "http://www.openwall.com/lists/oss-security/2025/09/23/3", "http://www.openwall.com/lists/oss-security/2025/09/23/4", "http://www.openwall.com/lists/oss-security/2025/09/23/5", "http://www.openwall.com/lists/oss-security/2025/09/24/4", "http://www.openwall.com/lists/oss-security/2025/09/24/7", "http://www.openwall.com/lists/oss-security/2025/09/25/2", "http://www.openwall.com/lists/oss-security/2025/09/25/6", "http://www.openwall.com/lists/oss-security/2025/09/26/2", "http://www.openwall.com/lists/oss-security/2025/09/26/4", "http://www.openwall.com/lists/oss-security/2025/09/27/1", "http://www.openwall.com/lists/oss-security/2025/09/27/2", "http://www.openwall.com/lists/oss-security/2025/09/27/3", "http://www.openwall.com/lists/oss-security/2025/09/27/4", "http://www.openwall.com/lists/oss-security/2025/09/27/5", "http://www.openwall.com/lists/oss-security/2025/09/27/6", "http://www.openwall.com/lists/oss-security/2025/09/27/7", "http://www.openwall.com/lists/oss-security/2025/09/28/7", "http://www.openwall.com/lists/oss-security/2025/09/29/1", "http://www.openwall.com/lists/oss-security/2025/09/29/4", "http://www.openwall.com/lists/oss-security/2025/09/29/5", "http://www.openwall.com/lists/oss-security/2025/09/29/6", "http://www.openwall.com/lists/oss-security/2025/10/01/1", "http://www.openwall.com/lists/oss-security/2025/10/01/2", "https://access.redhat.com/security/cve/CVE-2023-51767", "https://arxiv.org/abs/2309.02545", "https://bugzilla.redhat.com/show_bug.cgi?id=2255850", "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77", "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878", "https://security.netapp.com/advisory/ntap-20240125-0006/", "https://ubuntu.com/security/CVE-2023-51767"]
+
+[[affected]]
+pkg = "OpenSSH_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2023-51767"
+imported = 2025-11-19T03:27:27.602Z
+modified = 2025-11-18T22:15:43.950Z
+published = 2023-12-24T07:15:07.410Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-51767"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2023-51767"
+```
+
+# OpenSSH through 10.0, when common types of DRAM are used, might allow row hammer attacks (for authen...
+
+OpenSSH through 10.0, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges. NOTE: this is disputed by the Supplier, who states "we do not consider it to be the application's responsibility to defend against platform architectural weaknesses."
+
diff --git a/advisories/published/2025/JLSEC-0000-mntdl68eg-1wzj50p.md b/advisories/published/2025/JLSEC-0000-mntdl68eg-1wzj50p.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.4"
+id = "JLSEC-0000-mntdl68eg-1wzj50p"
+modified = 2025-11-19T03:27:29.032Z
+upstream = ["CVE-2024-3566"]
+references = ["https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/", "https://kb.cert.org/vuls/id/123335", "https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way", "https://www.cve.org/CVERecord?id=CVE-2024-1874", "https://www.cve.org/CVERecord?id=CVE-2024-22423", "https://www.cve.org/CVERecord?id=CVE-2024-24576", "https://www.kb.cert.org/vuls/id/123335", "https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/", "https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2024/CVE-2024-3566", "https://kb.cert.org/vuls/id/123335", "https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way", "https://www.cve.org/CVERecord?id=CVE-2024-1874", "https://www.cve.org/CVERecord?id=CVE-2024-22423", "https://www.cve.org/CVERecord?id=CVE-2024-24576", "https://www.kb.cert.org/vuls/id/123335"]
+
+[[affected]]
+pkg = "libnode_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2024-3566"
+imported = 2025-11-19T03:27:29.032Z
+modified = 2025-11-18T18:16:05.353Z
+published = 2024-04-10T16:15:16.083Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-3566"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2024-3566"
+```
+
+# A command inject vulnerability allows an attacker to perform command injection on Windows applicatio...
+
+A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
+
diff --git a/advisories/published/2025/JLSEC-0000-mntdl6acu-wy3oqc.md b/advisories/published/2025/JLSEC-0000-mntdl6acu-wy3oqc.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.4"
+id = "JLSEC-0000-mntdl6acu-wy3oqc"
+modified = 2025-11-19T03:27:31.566Z
+upstream = ["CVE-2025-2784"]
+references = ["https://access.redhat.com/errata/RHSA-2025:21657", "https://access.redhat.com/errata/RHSA-2025:7505", "https://access.redhat.com/errata/RHSA-2025:8126", "https://access.redhat.com/errata/RHSA-2025:8132", "https://access.redhat.com/errata/RHSA-2025:8139", "https://access.redhat.com/errata/RHSA-2025:8140", "https://access.redhat.com/errata/RHSA-2025:8252", "https://access.redhat.com/errata/RHSA-2025:8480", "https://access.redhat.com/errata/RHSA-2025:8481", "https://access.redhat.com/errata/RHSA-2025:8482", "https://access.redhat.com/errata/RHSA-2025:8663", "https://access.redhat.com/errata/RHSA-2025:9179", "https://access.redhat.com/security/cve/CVE-2025-2784", "https://bugzilla.redhat.com/show_bug.cgi?id=2354669", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/422", "https://lists.debian.org/debian-lts-announce/2025/04/msg00036.html", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/422"]
+
+[[affected]]
+pkg = "Soup3_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2025-2784"
+imported = 2025-11-19T03:27:31.566Z
+modified = 2025-11-18T09:15:50.430Z
+published = 2025-04-03T03:15:18.113Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-2784"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-2784"
+```
+
+# A flaw was found in libsoup
+
+A flaw was found in libsoup. The package is vulnerable to a heap buffer over-read when sniffing content via the skip_insight_whitespace() function. Libsoup clients may read one byte out-of-bounds in response to a crafted HTTP response by an HTTP server.
+