From 3337cfb87694bb59f7a0b18e18faf016269fff17 Mon Sep 17 00:00:00 2001 From: Tim White Date: Tue, 10 Oct 2023 15:05:49 +1300 Subject: [PATCH 1/4] Improve GHSA-fjq5-5j5f-mvxh --- .../GHSA-fjq5-5j5f-mvxh.json | 33 ++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json b/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json index 69f2544fe9656..47d3c3a8b2eb7 100644 --- a/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json +++ b/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fjq5-5j5f-mvxh", - "modified": "2022-11-03T22:57:31Z", + "modified": "2023-10-10T02:04:24Z", "published": "2022-05-13T01:25:20Z", "aliases": [ "CVE-2015-7501" @@ -52,6 +52,33 @@ ] } ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "net.sourceforge.collections:collections-generic" + }, + "versions": [ + "4.01" + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic" + }, + "versions": [ + "4.01_1" + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections" + }, + "versions": [ + "3.2.1_3" + ] } ], "references": [ @@ -90,6 +117,10 @@ { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html" + }, + { + "type": "WEB", + "url": "https://github.com/jensdietrich/xshady-release/tree/main/CVE-2015-7501" } ], "database_specific": { From fb362493fb35d8455266a35445038e8451a38821 Mon Sep 17 00:00:00 2001 From: Tim White Date: Fri, 13 Oct 2023 14:30:07 +1300 Subject: [PATCH 2/4] Add 2 more confirmed-vulnerable versions of org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections --- .../2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json b/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json index 47d3c3a8b2eb7..6f80917be3dcc 100644 --- a/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json +++ b/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fjq5-5j5f-mvxh", - "modified": "2023-10-10T02:04:24Z", + "modified": "2023-10-13T01:15:16Z", "published": "2022-05-13T01:25:20Z", "aliases": [ "CVE-2015-7501" @@ -77,6 +77,8 @@ "name": "org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections" }, "versions": [ + "3.2.1_1", + "3.2.1_2", "3.2.1_3" ] } From 6fd3b9eca36f0c07bc2ec4f282c319d9644edb53 Mon Sep 17 00:00:00 2001 From: Tim White Date: Fri, 13 Oct 2023 14:42:33 +1300 Subject: [PATCH 3/4] Improve refs, add version range and source repo metadata --- .../GHSA-fjq5-5j5f-mvxh.json | 56 ++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json b/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json index 6f80917be3dcc..b83b2b1ba3ea8 100644 --- a/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json +++ b/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json @@ -58,6 +58,16 @@ "ecosystem": "Maven", "name": "net.sourceforge.collections:collections-generic" }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.01" + } + ] + } + ], "versions": [ "4.01" ] @@ -67,6 +77,16 @@ "ecosystem": "Maven", "name": "org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic" }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.01_1" + } + ] + } + ], "versions": [ "4.01_1" ] @@ -76,6 +96,16 @@ "ecosystem": "Maven", "name": "org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections" }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2.1_1" + } + ] + } + ], "versions": [ "3.2.1_1", "3.2.1_2", @@ -121,8 +151,32 @@ "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html" }, { - "type": "WEB", + "type": "EVIDENCE", "url": "https://github.com/jensdietrich/xshady-release/tree/main/CVE-2015-7501" + }, + { + "type": "WEB", + "url": "https://arxiv.org/pdf/2306.05534.pdf" + }, + { + "type": "PACKAGE", + "url": "https://sourceforge.net/p/collections/code/HEAD/tree/" + }, + { + "type": "PACKAGE", + "url": "https://svn.apache.org/viewvc/servicemix/smx4/bundles/tags/org.apache.servicemix.bundles.collections-generic-4.01_1" + }, + { + "type": "PACKAGE", + "url": "https://svn.apache.org/viewvc/servicemix/smx4/bundles/tags/org.apache.servicemix.bundles.commons-collections-3.2.1_1" + }, + { + "type": "PACKAGE", + "url": "https://svn.apache.org/viewvc/servicemix/smx4/bundles/tags/org.apache.servicemix.bundles.commons-collections-3.2.1_2" + }, + { + "type": "PACKAGE", + "url": "https://svn.apache.org/viewvc/servicemix/smx4/bundles/tags/org.apache.servicemix.bundles.commons-collections-3.2.1_3" } ], "database_specific": { From 5c576568cf2239c283beb87a41d9abf9ac125e75 Mon Sep 17 00:00:00 2001 From: Tim White Date: Thu, 19 Oct 2023 13:17:50 +1300 Subject: [PATCH 4/4] Remove explicit version list to satisfy 'Explicitly listing more than one affected version is not currently supported. Use range events instead.' --- .../2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json b/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json index b83b2b1ba3ea8..0aa6a9f20c00a 100644 --- a/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json +++ b/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fjq5-5j5f-mvxh", - "modified": "2023-10-13T01:15:16Z", + "modified": "2023-10-19T00:16:58Z", "published": "2022-05-13T01:25:20Z", "aliases": [ "CVE-2015-7501" @@ -105,11 +105,6 @@ } ] } - ], - "versions": [ - "3.2.1_1", - "3.2.1_2", - "3.2.1_3" ] } ],