CVE-2022-24300: Our minetest-version has patches for this reported issue.

CVE-2022-24301: Our minetest-version has patches for this reported issue.

CVE-2022-35978: Our minetest-version is not having any patch for this reported issue. Backport would be possible and was tested, see conclusion for further annotations.

Conclusion: As minetest is going into a complete different direction Hyperbola has decided to no longer provide any packaged version. Ports done in favor from the community are surely welcome, but minetest won't be any longer part in the Hyperbola-repositories.

CVE-2023-50387 and CVE-2023-50868: https://www.isc.org/blogs/2024-bind-security-release/, fixed into --> 9.16.48
(Thanks for reporting to heckyel!)

Conclusion: Package bind will be updated corresponding!

CVE-2023-46724, CVE-2023-46846, CVE-2023-46847, CVE-2023-49285: Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache. Due to programming errors in Squid's HTTP request parsing, remote attackers may be able to execute a denial of service attack by sending large X-Forwarded-For header or trigger a stack buffer overflow while performing HTTP Digest authentication. Other issues facilitate request smuggling past a firewall or a denial of service against Squid's Helper process management.

Conclusion: We will upgrade and patch our squid.

CVE-2024-3094: Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Conclusion: Our version of xz is not affected.

General annotation: The package dillo will be reworked as the URL dillo.org is no longer under control of the project-team. Nevertheless the URL is used wide for that package and project. The project-team has written a clear article about their perspective: https://dillo-browser.github.io/dillo.org.html

Also a note from us direct: Please be always careful. Surely we track here the security-issues and situation. But also about packages from elsewhere it is better to stay critical. Not direct with sources first but with websites for sure. This example is a light one as there are foremost spam-articles mixed into a wordpress-blog now on dillo.org. But this can be also quite more severe for example used as honeypot, in that term just to collect metadata on the first run of visitors or even quite more.

Conclusion: We will use the new address as soon as possible.

CVE-2024-24577: libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.

Conclusion: We will update our current version of libgit2 to version 1.7.2.

CVE-2024-6655: A flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory.

Conclusion: We will patch our packages gtk and gtk2.

CVE-2023-36328: Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS).

Conclusion: We will patch our package libtommath.

CVE-2022-24836: Nokogiri is a XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.

Conclusion: We will patch our package ruby-nokogiri.

CVE-2024-41957: Vim is a command line text editor. Vim < v9.1.0647 has double free in src/alloc.c:616. When closing a window, the corresponding tagstack data will be cleared and freed. However a bit later, the quickfix list belonging to that window will also be cleared and if that quickfix list points to the same tagstack data, Vim will try to free it again, resulting in a double-free/use-after-free access exception. Impact is low since the user must intentionally execute vim with several non-default flags, but it may cause a crash of Vim. The issue has been fixed as of Vim patch v9.1.0647

CVE-2024-43374: The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678.

Conclusion: We will update our package vim to version 9.1.0707.