Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 1435a07cc737 · 2026-01-23T22:35:14.000Z
GHSA-wcxc-jf6c-8rx9 GHSA-xvcg-2q82-r87j GHSA-g3vv-g2j5-45f2 GHSA-967g-cjx4-h7j6
diff --git a/advisories/github-reviewed/2021/08/GHSA-wcxc-jf6c-8rx9/GHSA-wcxc-jf6c-8rx9.json b/advisories/github-reviewed/2021/08/GHSA-wcxc-jf6c-8rx9/GHSA-wcxc-jf6c-8rx9.json
@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wcxc-jf6c-8rx9",
-  "modified": "2021-08-18T20:24:24Z",
+  "modified": "2026-01-23T22:32:51Z",
   "published": "2021-08-25T20:57:21Z",
+  "withdrawn": "2026-01-23T22:32:51Z",
   "aliases": [],
-  "summary": " Uncaught Exception in libpulse-binding",
-  "details": "Affected versions of this crate failed to catch panics crossing FFI boundaries via callbacks, which\nis a form of UB. This flaw was corrected by [this commit][1] which was included in version 2.6.0.",
+  "summary": "Duplicate Advisory: Uncaught Exception in libpulse-binding",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-xvcg-2q82-r87j. This link is maintained to preserve external references.\n\n## Original Description\nAffected versions of this crate failed to catch panics crossing FFI boundaries via callbacks, which\nis a form of UB. This flaw was corrected by [this commit][1] which was included in version 2.6.0.",
   "severity": [],
   "affected": [
     {
diff --git a/advisories/github-reviewed/2022/01/GHSA-xvcg-2q82-r87j/GHSA-xvcg-2q82-r87j.json b/advisories/github-reviewed/2022/01/GHSA-xvcg-2q82-r87j/GHSA-xvcg-2q82-r87j.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xvcg-2q82-r87j",
-  "modified": "2022-01-07T16:25:11Z",
+  "modified": "2026-01-23T22:33:12Z",
   "published": "2022-01-06T22:18:19Z",
   "aliases": [
     "CVE-2019-25055"
@@ -58,7 +58,9 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-248"
+    ],
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2022-01-06T18:18:40Z",
diff --git a/advisories/github-reviewed/2022/04/GHSA-g3vv-g2j5-45f2/GHSA-g3vv-g2j5-45f2.json b/advisories/github-reviewed/2022/04/GHSA-g3vv-g2j5-45f2/GHSA-g3vv-g2j5-45f2.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g3vv-g2j5-45f2",
-  "modified": "2023-08-30T17:56:37Z",
+  "modified": "2026-01-23T22:34:06Z",
   "published": "2022-04-08T22:08:45Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2022-2584"
+  ],
   "summary": "ipld/go-codec-dagpb panics when processing certain blocks",
   "details": "### Impact \nDecoding certain blocks using the go-ipld-prime version of the dag-pb codec (go-codec-dagpb) can cause a panic.  The panic comes from an assumption that the reported link length is accurate, but if the block ends before that reported length then it’s a buffer overread.\n\n### Patches\nThe issue is fixed in v1.3.1 and above.\n\nConsumers can discover the versions of `go-codec-dagpb` in a module's dependency graph using the following command in the module root:\n\n```go mod graph | grep go-codec-dagpb```\n\n### Workarounds\nYou can work around this issue without upgrading by recovering panics higher in the call stack of the goroutine that calls the defective code.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Ask in [IPFS Discord #ipld-chatter](https://discord.gg/ipfs)\n* Open an issue in [go-codec-dagpb](https://github.com/ipld/go-codec-dagpb)",
   "severity": [
diff --git a/advisories/github-reviewed/2022/12/GHSA-967g-cjx4-h7j6/GHSA-967g-cjx4-h7j6.json b/advisories/github-reviewed/2022/12/GHSA-967g-cjx4-h7j6/GHSA-967g-cjx4-h7j6.json
@@ -1,13 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-967g-cjx4-h7j6",
-  "modified": "2023-02-09T21:40:05Z",
+  "modified": "2026-01-23T22:34:00Z",
   "published": "2022-12-28T00:30:23Z",
-  "aliases": [
-    "CVE-2022-2584"
-  ],
-  "summary": "go-codec-dagpb vulnerable to panic when decoding invalid blocks",
-  "details": "go-codec-dagpb is an implementation of the DAG-PB spec for Go. The dag-pb codec can panic when decoding invalid blocks. This issue has been patched in version 1.3.1.",
+  "withdrawn": "2026-01-23T22:34:00Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: go-codec-dagpb vulnerable to panic when decoding invalid blocks",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-g3vv-g2j5-45f2. This link is maintained to preserve external references.\n\n## Original Description\ngo-codec-dagpb is an implementation of the DAG-PB spec for Go. The dag-pb codec can panic when decoding invalid blocks. This issue has been patched in version 1.3.1.",
   "severity": [
     {
       "type": "CVSS_V3",
