advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard
verified publisher icon github

Should advisories be issued for python ctx and PHP phpass packages?

Open westonsteimel opened this issue 3 years ago • 5 comments

There is a tweet making headlines about some malicious code discovered in some abandoned python and PHP packages. Does it make since to create GitHub advisory records for these? I believe both have now been de-listed by PyPI and packagist, but I think it might still be useful to have records generated for them here.

westonsteimel avatar May 24 '22 15:05 westonsteimel

A decent writeup of this can be found here https://isc.sans.edu/diary/28678

joshbressers avatar May 24 '22 16:05 joshbressers

Here's the details I could dig up on the ctx issue https://github.com/cloudsecurityalliance/gsd-database/blob/main/2022/1002xxx/GSD-2022-1002521.json

joshbressers avatar May 24 '22 16:05 joshbressers

Here's some details on the phpass issue https://github.com/cloudsecurityalliance/gsd-database/blob/main/2022/1002xxx/GSD-2022-1002522.json

joshbressers avatar May 24 '22 17:05 joshbressers

Here is the PyPA one for ctx for reference: https://github.com/pypa/advisory-database/blob/main/vulns/ctx/PYSEC-2022-199.yaml

westonsteimel avatar May 24 '22 18:05 westonsteimel

Ah, I see https://github.com/advisories/GHSA-4g82-3jcr-q52w just got added for ctx. Thanks!

westonsteimel avatar May 26 '22 20:05 westonsteimel

Looks like this was resolved so I'll close this issue, thanks all!

KateCatlin avatar Aug 23 '22 17:08 KateCatlin