CVE-2022-24300: Our minetest-version has patches for this reported issue.

CVE-2022-24301: Our minetest-version has patches for this reported issue.

CVE-2022-35978: Our minetest-version is not having any patch for this reported issue. Backport would be possible and was tested, see conclusion for further annotations.

Conclusion: As minetest is going into a complete different direction Hyperbola has decided to no longer provide any packaged version. Ports done in favor from the community are surely welcome, but minetest won't be any longer part in the Hyperbola-repositories.

CVE-2023-50387 and CVE-2023-50868: https://www.isc.org/blogs/2024-bind-security-release/, fixed into --> 9.16.48
(Thanks for reporting to heckyel!)

Conclusion: Package bind will be updated corresponding!

CVE-2023-46724, CVE-2023-46846, CVE-2023-46847, CVE-2023-49285: Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache. Due to programming errors in Squid's HTTP request parsing, remote attackers may be able to execute a denial of service attack by sending large X-Forwarded-For header or trigger a stack buffer overflow while performing HTTP Digest authentication. Other issues facilitate request smuggling past a firewall or a denial of service against Squid's Helper process management.

Conclusion: We will upgrade and patch our squid.

CVE-2024-3094: Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Conclusion: Our version of xz is not affected.

General annotation: The package dillo will be reworked as the URL dillo.org is no longer under control of the project-team. Nevertheless the URL is used wide for that package and project. The project-team has written a clear article about their perspective: https://dillo-browser.github.io/dillo.org.html

Also a note from us direct: Please be always careful. Surely we track here the security-issues and situation. But also about packages from elsewhere it is better to stay critical. Not direct with sources first but with websites for sure. This example is a light one as there are foremost spam-articles mixed into a wordpress-blog now on dillo.org. But this can be also quite more severe for example used as honeypot, in that term just to collect metadata on the first run of visitors or even quite more.

Conclusion: We will use the new address as soon as possible.

CVE-2024-24577: libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.

Conclusion: We will update our current version of libgit2 to version 1.7.2.

CVE-2024-6655: A flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory.

Conclusion: We will patch our packages gtk and gtk2.

CVE-2023-36328: Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS).

Conclusion: We will patch our package libtommath.