diff options
| author | Markus Pettersson <markus.pettersson@mullvad.net> | 2025-07-03 08:55:48 +0200 |
|---|---|---|
| committer | Markus Pettersson <markus.pettersson@mullvad.net> | 2025-07-03 09:14:35 +0200 |
| commit | df8d29dafbbe58f301b20bd3dcd2d581260de185 (patch) | |
| tree | 408fdb6ebf70364227efefaca2af54f2c6f4894f /desktop | |
| parent | 432cb7ecfffad3d32a8b145dd0275eeb33fa3ddb (diff) | |
| download | mullvadvpn-df8d29dafbbe58f301b20bd3dcd2d581260de185.tar.xz mullvadvpn-df8d29dafbbe58f301b20bd3dcd2d581260de185.zip | |
Remove Pillow-related CVEs from osv-scanner.toml
Diffstat (limited to 'desktop')
| -rw-r--r-- | desktop/packages/mullvad-vpn/scripts/osv-scanner.toml | 42 |
1 files changed, 0 insertions, 42 deletions
diff --git a/desktop/packages/mullvad-vpn/scripts/osv-scanner.toml b/desktop/packages/mullvad-vpn/scripts/osv-scanner.toml index a71b8e4b63..4c2a177b7a 100644 --- a/desktop/packages/mullvad-vpn/scripts/osv-scanner.toml +++ b/desktop/packages/mullvad-vpn/scripts/osv-scanner.toml @@ -2,45 +2,3 @@ # All issues found here are ignored for 6 months at a time, instead of three, # since it is only used on trusted input and is scheduled for removal completely anyway. - -# Pillow arbitrary code execution -[[IgnoredVulns]] -id = "CVE-2023-50447" # GHSA-3f63-hfp8-52jq -ignoreUntil = 2025-09-12 -reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade" - -# Pillow buffer overflow -[[IgnoredVulns]] -id = "CVE-2024-28219" # GHSA-44wm-f244-xhp3 -ignoreUntil = 2025-09-12 -reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade" - -# Pillow DoS -[[IgnoredVulns]] -id = "CVE-2023-44271" # GHSA-8ghj-p4vj-mr35 -ignoreUntil = 2025-09-12 -reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade" - -# libwebp: OOB write in BuildHuffmanTable -[[IgnoredVulns]] -id = "CVE-2023-5129" # GHSA-j7hp-h8jx-5ppr -ignoreUntil = 2025-09-12 -reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade" - -# Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863) -[[IgnoredVulns]] -id = "PYSEC-2023-175" -ignoreUntil = 2025-09-12 -reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade" - -# Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863) -[[IgnoredVulns]] -id = "GHSA-56pw-mpj4-fxww" -ignoreUntil = 2025-09-12 -reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade" - -# Pillow vulnerable to Data Amplification attack. -[[IgnoredVulns]] -id = "CVE-2022-45198" # GHSA-m2vv-5vj5-2hm7 -ignoreUntil = 2025-09-12 -reason = "Only used internally, on trusted input. This tool is also scheduled for removal completely, so not worth trying to upgrade" |