Sync Collecting Fix Commits: Sat Jun 6 13:59:43 UTC 2026

Signed-off-by: AboutCode Automation <automation@aboutcode.org>

Author: aboutcode-automation

data/fix-commits/advisory-database-b78f1d41.json

@@ -1,6 +1,21 @@
 {
   "vcs_url": "https://github.com/github/advisory-database",
   "vulnerabilities": {
+    "GHSA-5422-5257-MH57": {
+      "adcd9c5a5f33b543ab54f90693f7d2f7d43e1e7b": "Publish Advisories\n\nGHSA-5422-5257-mh57\nGHSA-6qr8-c78q-5fg9\nGHSA-cx7v-5xwm-4mqw\nGHSA-q432-rmqv-hh8m\nGHSA-qfjx-g344-4pcg"
+    },
+    "GHSA-6QR8-C78Q-5FG9": {
+      "adcd9c5a5f33b543ab54f90693f7d2f7d43e1e7b": "Publish Advisories\n\nGHSA-5422-5257-mh57\nGHSA-6qr8-c78q-5fg9\nGHSA-cx7v-5xwm-4mqw\nGHSA-q432-rmqv-hh8m\nGHSA-qfjx-g344-4pcg"
+    },
+    "GHSA-CX7V-5XWM-4MQW": {
+      "adcd9c5a5f33b543ab54f90693f7d2f7d43e1e7b": "Publish Advisories\n\nGHSA-5422-5257-mh57\nGHSA-6qr8-c78q-5fg9\nGHSA-cx7v-5xwm-4mqw\nGHSA-q432-rmqv-hh8m\nGHSA-qfjx-g344-4pcg"
+    },
+    "GHSA-Q432-RMQV-HH8M": {
+      "adcd9c5a5f33b543ab54f90693f7d2f7d43e1e7b": "Publish Advisories\n\nGHSA-5422-5257-mh57\nGHSA-6qr8-c78q-5fg9\nGHSA-cx7v-5xwm-4mqw\nGHSA-q432-rmqv-hh8m\nGHSA-qfjx-g344-4pcg"
+    },
+    "GHSA-QFJX-G344-4PCG": {
+      "adcd9c5a5f33b543ab54f90693f7d2f7d43e1e7b": "Publish Advisories\n\nGHSA-5422-5257-mh57\nGHSA-6qr8-c78q-5fg9\nGHSA-cx7v-5xwm-4mqw\nGHSA-q432-rmqv-hh8m\nGHSA-qfjx-g344-4pcg"
+    },
     "GHSA-2XF2-GJM6-G2C6": {
       "2b0bb5999979e505b24f2b90e405b248ba058729": "Publish Advisories\n\nGHSA-2xf2-gjm6-g2c6\nGHSA-wrh5-cmwx-q2qr\nGHSA-x9hg-5q6g-q3jr",
       "d81543e5aa21bd7338ae5624997302f8c2a78b9c": "Publish GHSA-2xf2-gjm6-g2c6"

data/fix-commits/nltk-79cc9cf1.json

@@ -1,6 +1,9 @@
 {
   "vcs_url": "https://github.com/nltk/nltk",
   "vulnerabilities": {
+    "CVE-2021-3828": {
+      "042359aa80c0428f59ff0f19a1c93e42a99686da": "fix(security): prevent ReDoS in ReviewsCorpusReader FEATURES regex (CWE-1333) (#3583)\n\n* fix(security): bound ReviewsCorpusReader FEATURES label to prevent ReDoS (CWE-1333)\n\nThe FEATURES regex used an unbounded feature label ((?:(?:\\w+\\s)+)?\\w+), so\nre.findall rescans a long, bracket-less review line quadratically: a crafted\ncorpus line such as \"word \" * 100000 hangs the reader (ReDoS). Same class as\nCVE-2021-3828.\n\nBound the label to a word plus up to 50 single-whitespace-separated words\n(\\w+(?:\\s\\w+){0,50}), making extraction linear. Real feature labels are short\nnoun phrases, so extraction on normal corpora is unchanged (verified identical\nfindall output). Add regression tests.\n\nReachable via nltk.corpus.product_reviews_1.reviews()/.features()/.sents().\n\n* test(reviews): harden ReDoS regression tests per review\n\nAddresses Copilot's review on #3583 (test-file feedback only; the FEATURES\nregex fix is unchanged):\n\n- Run the \"must not hang\" checks in a separate spawned process with a hard\n  timeout and terminate() on overrun, instead of a daemon thread. A quadratic\n  regression can no longer keep a runaway thread burning CPU for the rest of the\n  suite, and the worker's exceptions are propagated back to the assertions\n  rather than swallowed.\n- Assert the end-to-end reader actually produced a result (one Review, no\n  features) so a crash inside the worker can no longer masquerade as a pass.\n- Use the tmp_path fixture instead of tempfile.mkdtemp(), so the temp corpus is\n  cleaned up automatically.\n- Drop the unused `re` import (ruff F401)."
+    },
     "GHSA-R6GQ-WHWQ-MVG9": {
       "896a8ee981d8089b9edc2309aa10dcac6e2dec48": "Add realpath symlink check to FileSystemPathPointer.join()\n\nAfter the existing lexical normpath check, resolve symlinks with\nrealpath() and verify the result stays within the corpus root.\nThis prevents symlink escapes where a path looks lexically\ncontained but resolves outside the root via a symlink.\n\nAlso blocks absolute file IDs.\n\nFixes GHSA-r6gq-whwq-mvg9. Does not touch open() \u2014 that is\nhandled by pathsec.open() via _secure_open.\n\nCo-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>",
       "cbe04c348677ee0d80dd4753d602d5915faad95f": "Unconditionally enforce path containment in FileSystemPathPointer\n\nFileSystemPathPointer is the trust boundary for corpus readers.\nIts open() and join() methods must always enforce containment\nregardless of pathsec.ENFORCE setting.\n\nChanges:\n- Add _check_containment(): resolves symlinks with realpath() and\n  verifies the path is within an allowed nltk.data.path directory.\n  Always raises ValueError on violation (not warn-only).\n- open(): calls _check_containment() before opening, fixing\n  GHSA-72r2-7mfr-5xr9 (no-op sandbox check)\n- join(): adds realpath-based symlink resolution check after the\n  lexical normpath check, fixing GHSA-r6gq-whwq-mvg9 (symlink\n  escape). Also blocks absolute file IDs.\n\nThese checks are independent of ENFORCE=True/False because they\nprotect the corpus reader sandbox, not general file I/O.\n\nCo-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>"

data/fix-commits/zulip-d01c81dd.json

@@ -1,6 +1,11 @@
 {
   "vcs_url": "https://github.com/zulip/zulip",
   "vulnerabilities": {
+    "CVE-2023-28623": {
+      "0903ea766f651d32201cffa0fad871e7a9f08201": "registration: Don't require LDAP auth for externally-verified users.\n\nOn servers with both ZulipLDAPAuthBackend and an external\nauthentication method (e.g. SAML) enabled, a new user who exists in\nthe LDAP directory could not complete signup via the external\nmethod: the registration code path required LDAP authentication to\nsucceed, but no LDAP password is available, since the user's\nidentity was verified by the external method. The failed\nauthentication was only permitted to fall through to account\ncreation if the user was *absent* from the LDAP directory.\n\nThe result, since Zulip Server 2.1.0, was a silent redirect back to\nthe login page -- a loop with no account created, no user-facing\nerror, nothing in the error logs beyond a DEBUG-level \"Rejecting\nempty password\" line, and a stray PreregistrationUser row\naccumulating for each attempt.\n\nAllow account creation to proceed whenever the user's identity was\nalready verified by an external authentication method, as scenario 2\nof the comment added in the fix for CVE-2023-28623 already promised.\nThat CVE's protection is unaffected: signups whose only verification\nis an email confirmation link still require LDAP authentication when\nEmailAuthBackend is disabled. This does additionally allow an\nexternally-verified user whose email matches LDAP_APPEND_DOMAIN but\nwho is missing from the LDAP directory to sign up, matching the\nbehavior of servers that enable the external method without the LDAP\nbackend.",
+      "a23b077b79cae11757fb97f8d4e174af153c7104": "CVE-2023-28623: Prevent unauthorized signup with ldap + external auth.\n\nSince 74dd21c8fa13 in Zulip Server 2.1.0, if:\n- ZulipLDAPAuthBackend and an external authentication backend (any aside\n  of ZulipLDAPAuthBackend and EmailAuthBackend) are the only ones\n  enabled in AUTHENTICATION_BACKENDS in /etc/zulip/settings.py\n- The organization permissions don't require invitations to join\n\n...then an attacker can create a new account in the organization with\nan arbitrary email address in their control that's not in the\norganization's LDAP directory.\n\nThe impact is limited to installations which have the specific\ncombination of authentication backends described above, in addition to\nhaving the \"Invitations are required for joining this organization\norganization\" permission disabled.",
+      "3df1b4dd7c210c21deb6f829df19412b74573f8d": "CVE-2023-28623: Prevent unauthorized signup with ldap + external auth.\n\nSince 74dd21c8fa13 in Zulip Server 2.1.0, if:\n- ZulipLDAPAuthBackend and an external authentication backend (any aside\n  of ZulipLDAPAuthBackend and EmailAuthBackend) are the only ones\n  enabled in AUTHENTICATION_BACKENDS in /etc/zulip/settings.py\n- The organization permissions don't require invitations to join\n\n...then an attacker can create a new account in the organization with\nan arbitrary email address in their control that's not in the\norganization's LDAP directory.\n\nThe impact is limited to installations which have the specific\ncombination of authentication backends described above, in addition to\nhaving the \"Invitations are required for joining this organization\norganization\" permission disabled."
+    },
     "CVE-2026-40300": {
       "c7ddd7884aced3b1ee9017fa4f11d0c69048bf9b": "CVE-2026-40300: Use allowlist for edit history moves-only visibility.\n\nThe previous denylist approach removed prev_content,\nprev_rendered_content, and content_html_diff from move events, but\nleft content and rendered_content visible. This leaked the message\nbody through every moves-only history entry. The code also mutated\ninput dicts in place.\n\nSwitch to an allowlist that copies only move-related properties\n(timestamp, user_id, topic, prev_topic, stream, prev_stream) into a\nfresh dict. Each field is copied only if present, since this\nfunction is called both with FormattedEditHistoryEvent values from\nthe edit-history endpoint and with raw EditHistoryEvent values from\nthe message-fetch path, where topic and stream only appear in events\nthat actually changed them.\n\nCo-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>"
     },
@@ -71,10 +76,6 @@
       "4c4caa7be46aaed9c6c355307ab38ae99cf1c6d9": "CVE-2023-32677: Check permission to subscribe other users in invites.\n\nThis commit updates the API to check the permission to subscribe other\nusers while inviting.  The API will error if the user passes the\n\"stream_ids\" parameter (even when it contains only default streams)\nand the calling user does not having permission to subscribe others to\nstreams.\n\nFor users who do not have permission to subscribe others, the\ninvitee will be subscribed to default streams at the time of\naccepting the invite.\n\nThere is no change for multiuse invites, since only admins are allowed\nto send them, and admins always have the permission to subscribe\nothers to streams.",
       "7c2693a2c64904d1d0af8503b57763943648cbe5": "CVE-2023-32677: Check permission to subscribe other users in invites.\n\nThis commit updates the API to check the permission to subscribe other\nusers while inviting.  The API will error if the user passes the\n\"stream_ids\" parameter (even when it contains only default streams)\nand the calling user does not having permission to subscribe others to\nstreams.\n\nFor users who do not have permission to subscribe others, the\ninvitee will be subscribed to default streams at the time of\naccepting the invite.\n\nThere is no change for multiuse invites, since only admins are allowed\nto send them, and admins always have the permission to subscribe\nothers to streams."
     },
-    "CVE-2023-28623": {
-      "a23b077b79cae11757fb97f8d4e174af153c7104": "CVE-2023-28623: Prevent unauthorized signup with ldap + external auth.\n\nSince 74dd21c8fa13 in Zulip Server 2.1.0, if:\n- ZulipLDAPAuthBackend and an external authentication backend (any aside\n  of ZulipLDAPAuthBackend and EmailAuthBackend) are the only ones\n  enabled in AUTHENTICATION_BACKENDS in /etc/zulip/settings.py\n- The organization permissions don't require invitations to join\n\n...then an attacker can create a new account in the organization with\nan arbitrary email address in their control that's not in the\norganization's LDAP directory.\n\nThe impact is limited to installations which have the specific\ncombination of authentication backends described above, in addition to\nhaving the \"Invitations are required for joining this organization\norganization\" permission disabled.",
-      "3df1b4dd7c210c21deb6f829df19412b74573f8d": "CVE-2023-28623: Prevent unauthorized signup with ldap + external auth.\n\nSince 74dd21c8fa13 in Zulip Server 2.1.0, if:\n- ZulipLDAPAuthBackend and an external authentication backend (any aside\n  of ZulipLDAPAuthBackend and EmailAuthBackend) are the only ones\n  enabled in AUTHENTICATION_BACKENDS in /etc/zulip/settings.py\n- The organization permissions don't require invitations to join\n\n...then an attacker can create a new account in the organization with\nan arbitrary email address in their control that's not in the\norganization's LDAP directory.\n\nThe impact is limited to installations which have the specific\ncombination of authentication backends described above, in addition to\nhaving the \"Invitations are required for joining this organization\norganization\" permission disabled."
-    },
     "CVE-2023-22735": {
       "2f6c5a883e106aa82a570d3d1f243993284b70f3": "CVE-2023-22735: Provide the Content-Disposition header from S3.\n\nThe Content-Type of user-provided uploads was provided by the browser\nat initial upload time, and stored in S3; however, 04cf68b45ebb\nswitched to determining the Content-Disposition merely from the\nfilename.  This makes uploads vulnerable to a stored XSS, wherein a\nfile uploaded with a content-type of `text/html` and an extension of\n`.png` would be served to browsers as `Content-Disposition: inline`,\nwhich is unsafe.\n\nThe `Content-Security-Policy` headers in the previous commit mitigate\nthis, but only for browsers which support them.\n\nRevert parts of 04cf68b45ebb, specifically by allowing S3 to provide\nthe Content-Disposition header, and using the\n`ResponseContentDisposition` argument when necessary to override it to\n`attachment`.  Because we expect S3 responses to vary based on this\nargument, we include it in the cache key; since the query parameter\nhas dashes in it, we can't use use the helper `$arg_` variables, and\nmust parse it from the query parameters manually.\n\nAdding the disposition may decrease the cache hit rate somewhat, but\ndownloads are infrequent enough that it is unlikely to have a\nnoticeable effect.  We take care to not adjust the cache key for\nrequests which do not specify the disposition.",
       "36e97f8121a19a7955e666d24a80ea2cf3d0b75a": "CVE-2023-22735: Set a Content-Security-Policy header on proxied S3 data.\n\nThis was missed in 04cf68b45ebb5c03247a0d6453e35ffc175d55da; as this\ncontent is fundamentally untrusted, it must be served with\n`Content-Security-Policy` headers in order to be safe.  These headers\nwere not provided previously for S3 content because it was served from\nthe S3 domain.\n\nThis mitigates content served from Zulip which could be a stored XSS,\nbut only in browsers which support Content-Security-Policy headers;\nsee subsequent commit for the complete solution."