Assign IDs

github-actions · github-actions · commit 92ba00788c22 · 2025-06-03T20:58:35.000Z
diff --git a/advisories/.id-allocator b/advisories/.id-allocator
@@ -1 +1 @@
-a1a222b327af5612997b49e482503ce60f9a7cde94f4fa5737d3881fa3ea71e1
+6d73e534133379103eb0a0b74fe16670e5adbae38b9f429a61de6a4d8021cf05
diff --git a/advisories/python/PSF-2025-5.json b/advisories/python/PSF-2025-5.json
@@ -1,12 +1,12 @@
 {
+  "modified": "2025-06-03T20:55:06Z",
+  "published": "2025-06-03T12:59:10Z",
   "schema_version": "1.5.0",
-  "id": "PSF-0000-CVE-2024-12718",
+  "id": "PSF-2025-5",
   "aliases": [
     "CVE-2024-12718"
   ],
-  "published": "2025-06-03T12:59:10.908Z",
-  "modified": "2025-06-03T20:55:06.702Z",
-  "details": "Allows modifying some file metadata (e.g. last modified) with filter=\"data\"\u00a0or file permissions (chmod) with filter=\"tar\"\u00a0of files outside the extraction directory.\nYou are affected by this vulnerability if using the tarfile\u00a0module to extract untrusted tar archives using TarFile.extractall()\u00a0or TarFile.extract()\u00a0using the filter=\u00a0parameter with a value of \"data\"\u00a0or \"tar\". See the tarfile  extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter \u00a0for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature.\n\nNote that for Python 3.14 or later the default value of filter=\u00a0changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected.\n\nNote that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.",
+  "details": "Allows modifying some file metadata (e.g. last modified) with filter=\"data\" or file permissions (chmod) with filter=\"tar\" of files outside the extraction directory.\nYou are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile  extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature.\n\nNote that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected.\n\nNote that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.",
   "affected": [
     {
       "ranges": [
@@ -103,4 +103,4 @@
   "database_specific": {
     "cwe_ids": []
   }
-}
+}
diff --git a/advisories/python/PSF-2025-6.json b/advisories/python/PSF-2025-6.json
@@ -1,12 +1,12 @@
 {
+  "modified": "2025-06-03T20:53:14Z",
+  "published": "2025-06-03T12:59:02Z",
   "schema_version": "1.5.0",
-  "id": "PSF-0000-CVE-2025-4138",
+  "id": "PSF-2025-6",
   "aliases": [
     "CVE-2025-4138"
   ],
-  "published": "2025-06-03T12:59:02.717Z",
-  "modified": "2025-06-03T20:53:14.850Z",
-  "details": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.\n\n\nYou are affected by this vulnerability if using the tarfile\u00a0module to extract untrusted tar archives using TarFile.extractall()\u00a0or TarFile.extract()\u00a0using the filter=\u00a0parameter with a value of \"data\"\u00a0or \"tar\". See the tarfile  extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter \u00a0for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature.\n\nNote that for Python 3.14 or later the default value of filter=\u00a0changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected.\n\nNote that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.",
+  "details": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.\n\n\nYou are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile  extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature.\n\nNote that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected.\n\nNote that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.",
   "affected": [
     {
       "ranges": [
@@ -99,4 +99,4 @@
   "database_specific": {
     "cwe_ids": []
   }
-}
+}
diff --git a/advisories/python/PSF-2025-7.json b/advisories/python/PSF-2025-7.json
@@ -1,12 +1,12 @@
 {
+  "modified": "2025-06-03T20:53:21Z",
+  "published": "2025-06-03T12:58:57Z",
   "schema_version": "1.5.0",
-  "id": "PSF-0000-CVE-2025-4330",
+  "id": "PSF-2025-7",
   "aliases": [
     "CVE-2025-4330"
   ],
-  "published": "2025-06-03T12:58:57.452Z",
-  "modified": "2025-06-03T20:53:21.110Z",
-  "details": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.\n\n\nYou are affected by this vulnerability if using the tarfile\u00a0module to extract untrusted tar archives using TarFile.extractall()\u00a0or TarFile.extract()\u00a0using the filter=\u00a0parameter with a value of \"data\"\u00a0or \"tar\". See the tarfile  extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter \u00a0for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature.\n\nNote that for Python 3.14 or later the default value of filter=\u00a0changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected.\n\nNote that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.",
+  "details": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.\n\n\nYou are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile  extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature.\n\nNote that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected.\n\nNote that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.",
   "affected": [
     {
       "ranges": [
@@ -99,4 +99,4 @@
   "database_specific": {
     "cwe_ids": []
   }
-}
+}
diff --git a/advisories/python/PSF-2025-8.json b/advisories/python/PSF-2025-8.json
@@ -1,12 +1,12 @@
 {
+  "modified": "2025-06-03T20:53:26Z",
+  "published": "2025-06-03T12:59:06Z",
   "schema_version": "1.5.0",
-  "id": "PSF-0000-CVE-2025-4435",
+  "id": "PSF-2025-8",
   "aliases": [
     "CVE-2025-4435"
   ],
-  "published": "2025-06-03T12:59:06.792Z",
-  "modified": "2025-06-03T20:53:26.955Z",
-  "details": "When using a TarFile.errorlevel = 0\u00a0and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0\u00a0in affected versions is that the member would still be extracted and not skipped.",
+  "details": "When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.",
   "affected": [
     {
       "ranges": [
@@ -95,4 +95,4 @@
   "database_specific": {
     "cwe_ids": []
   }
-}
+}
diff --git a/advisories/python/PSF-2025-9.json b/advisories/python/PSF-2025-9.json
@@ -1,12 +1,12 @@
 {
+  "modified": "2025-06-03T20:53:39Z",
+  "published": "2025-06-03T12:58:50Z",
   "schema_version": "1.5.0",
-  "id": "PSF-0000-CVE-2025-4517",
+  "id": "PSF-2025-9",
   "aliases": [
     "CVE-2025-4517"
   ],
-  "published": "2025-06-03T12:58:50.352Z",
-  "modified": "2025-06-03T20:53:39.367Z",
-  "details": "Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=\"data\".\n\n\nYou are affected by this vulnerability if using the tarfile\u00a0module to extract untrusted tar archives using TarFile.extractall()\u00a0or TarFile.extract()\u00a0using the filter=\u00a0parameter with a value of \"data\"\u00a0or \"tar\". See the tarfile  extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter \u00a0for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature.\n\nNote that for Python 3.14 or later the default value of filter=\u00a0changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected.\n\nNote that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.",
+  "details": "Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=\"data\".\n\n\nYou are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile  extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature.\n\nNote that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected.\n\nNote that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.",
   "affected": [
     {
       "ranges": [
@@ -99,4 +99,4 @@
   "database_specific": {
     "cwe_ids": []
   }
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-a1a222b327af5612997b49e482503ce60f9a7cde94f4fa5737d3881fa3ea71e1`
	`1`	`+6d73e534133379103eb0a0b74fe16670e5adbae38b9f429a61de6a4d8021cf05`