aeson
| # | Introduced | Fixed | Summary |
|---|
| HSEC-2023-0001 | 0.4.0.0 | 2.0.1.0 | Hash flooding vulnerability in aeson |
base
| # | Introduced | Fixed | Summary |
|---|
| HSEC-2023-0007 | 3.0.3.1 | | readFloat: memory exhaustion with large exponent |
biscuit-haskell
| # | Introduced | Fixed | Summary |
|---|
| HSEC-2024-0009 | 0.3.0.0 | 0.4.0.0 | Public key confusion in third-party blocks |
| HSEC-2023-0002 | 0.1.0.0 | 0.2.0.0 | Improper Verification of Cryptographic Signature |
bz2
| # | Introduced | Fixed | Summary |
|---|
| HSEC-2024-0002 | 0.1.0.0 | 1.0.1.1 | out-of-bounds write when there are many bzip2 selectors |
bzlib
| # | Introduced | Fixed | Summary |
|---|
| HSEC-2024-0002 | 0.4 | 0.5.2.0 | out-of-bounds write when there are many bzip2 selectors |
bzlib-conduit
| # | Introduced | Fixed | Summary |
|---|
| HSEC-2024-0002 | 0.1.0.0 | 0.3.0.3 | out-of-bounds write when there are many bzip2 selectors |
cabal-install
| # | Introduced | Fixed | Summary |
|---|
| HSEC-2023-0015 | 1.24.0.0 | 3.10.2.0 | cabal-install uses expired key policies |
git-annex
| # | Introduced | Fixed | Summary |
|---|
| HSEC-2023-0013 | 0.20110401 | 5.20140919 | git-annex plaintext storage of embedded credentials on encrypted remotes |
| HSEC-2023-0012 | 0.20110417 | 6.20160419 | git-annex checksum exposure to encrypted special remotes |
| HSEC-2023-0011 | 0.20110417 | 6.20180626 | git-annex GPG decryption attack via compromised remote |
| HSEC-2023-0010 | 0.1 | 6.20180626 | git-annex private data exfiltration to compromised remote |
| HSEC-2023-0009 | 0.1 | 6.20170818 | git-annex command injection via malicious SSH hostname |
hledger-web
| # | Introduced | Fixed | Summary |
|---|
| HSEC-2023-0008 | 0.24 | 1.23 | Stored XSS in hledger-web |
keter
| # | Introduced | Fixed | Summary |
|---|
| HSEC-2024-0001 | 0.3.4 | 1.8.4 | Reflected XSS vulnerability in keter |
pandoc
| # | Introduced | Fixed | Summary |
|---|
| HSEC-2023-0014 | 1.13 | 3.1.4 | Arbitrary file write is possible when using PDF output or --extract-media with untrusted input |
process
| # | Introduced | Fixed | Summary |
|---|
| HSEC-2024-0003 | 1.0.0.0 | 1.6.23.0 | process: command injection via argument list on Windows |
tls-extra
| # | Introduced | Fixed | Summary |
|---|
| HSEC-2023-0005 | 0.1.0 | 0.4.6.1 | tls-extra: certificate validation does not check Basic Constraints |
toml-reader
| # | Introduced | Fixed | Summary |
|---|
| HSEC-2023-0007 | 0.1.0.0 | 0.2.0.0 | readFloat: memory exhaustion with large exponent |
x509-validation
| # | Introduced | Fixed | Summary |
|---|
| HSEC-2023-0006 | 1.4.0 | 1.4.8 | x509-validation does not enforce pathLenConstraint |
xml-conduit
| # | Introduced | Fixed | Summary |
|---|
| HSEC-2023-0004 | 0.5.0 | 1.9.1.0 | xml-conduit unbounded entity expansion |
xmonad-contrib
| # | Introduced | Fixed | Summary |
|---|
| HSEC-2023-0003 | 0.5 | 0.11.2 | code injection in xmonad-contrib |