Skip to content

Security Export: Issues, Dependabot & CodeScan Alerts (2026-06-28)#141

Closed
grisuno wants to merge 1 commit into
mainfrom
security-export-2026-06-28-20260628_164956
Closed

Security Export: Issues, Dependabot & CodeScan Alerts (2026-06-28)#141
grisuno wants to merge 1 commit into
mainfrom
security-export-2026-06-28-20260628_164956

Conversation

@grisuno

@grisuno grisuno commented Jun 28, 2026

Copy link
Copy Markdown
Owner

Automated security export generated on 20260628_164956.

This PR adds a snapshot under issues/ with:

  • All GitHub issues (open + closed) as issue_<n>.md
  • Open Dependabot alerts under issues/dependabot/
  • Open Code Scanning alerts under issues/codescan/
  • Index in issues/README.md

Generated by security_issue_progressive.sh.

@pantoaibot

pantoaibot Bot commented Jun 28, 2026

Copy link
Copy Markdown

PR Summary:

Summary: Adds a new issues/ directory documenting repository issues, Dependabot alerts (35) and CodeQL code-scanning alerts (3). No code changes — this PR is a security export/report providing per-alert details, CVEs, patches and workarounds.

Key changes:

Impact and recommendations:

  • No behavior or runtime changes in code — documentation only.
  • Prioritize remediation of high-severity alerts: msgpack (out-of-bounds/crash), cryptography (vulnerable OpenSSL in wheels).
  • Resolve numerous pypdf alerts by upgrading to the referenced patched versions (range varies per alert) or applying listed workarounds.
  • Review CodeQL socket-binding findings to avoid binding to all interfaces where unintended.
  • Treat this PR as the canonical list for triage and patch prioritization.

Reviewed by Panto AI

Comment thread issues/README.md
Comment on lines +1 to +62
# Repository: LazyOwn

**Description:** LazyOwn RedTeam/APT Framework is the first RedTeam Framework with an AI-powered C&C, featuring rootkits to conceal campaigns, undetectable malleable implants compatible with Windows/Linux/Mac OSX, and self-configuring backdoors. With its Web interface and powerful Console Client, it is the best combination for your Autonomous RedTeam/APT campaigns.

| Metric | Value |
|--------|-------|
| ⭐ Stars | 213 |
| 📥 Clones (last 14 days) | 518 |
| 🟢 Open Issues | 0 |
| 📋 Total Issues | 4 |
| 🛡 Dependabot Open Alerts | 35 |
| 🔍 CodeScan Open Alerts | 3 |

## Issues
- [#84](./issue_84.md) - Lazynmap failing to execute (closed)
- [#30](./issue_30.md) - Please remove ngrok as a tunneling option as this tool violates the terms of service (closed)
- [#17](./issue_17.md) - Fix code scanning alert - Flask app is run in debug mode (closed)
- [#16](./issue_16.md) - Fix code scanning alert - Information exposure through an exception (closed)

## Dependabot Alerts
- [Dependabot #44](./dependabot/alert_44.md) - msgpack (high) - open
- [Dependabot #43](./dependabot/alert_43.md) - pypdf (medium) - open
- [Dependabot #42](./dependabot/alert_42.md) - pypdf (medium) - open
- [Dependabot #41](./dependabot/alert_41.md) - pypdf (medium) - open
- [Dependabot #40](./dependabot/alert_40.md) - pypdf (medium) - open
- [Dependabot #39](./dependabot/alert_39.md) - pypdf (medium) - open
- [Dependabot #38](./dependabot/alert_38.md) - pypdf (medium) - open
- [Dependabot #37](./dependabot/alert_37.md) - cryptography (high) - open
- [Dependabot #36](./dependabot/alert_36.md) - pypdf (medium) - open
- [Dependabot #35](./dependabot/alert_35.md) - pypdf (medium) - open
- [Dependabot #34](./dependabot/alert_34.md) - torch (low) - open
- [Dependabot #33](./dependabot/alert_33.md) - torch (low) - open
- [Dependabot #32](./dependabot/alert_32.md) - pypdf (medium) - open
- [Dependabot #31](./dependabot/alert_31.md) - pypdf (medium) - open
- [Dependabot #30](./dependabot/alert_30.md) - pypdf (medium) - open
- [Dependabot #29](./dependabot/alert_29.md) - pypdf (medium) - open
- [Dependabot #28](./dependabot/alert_28.md) - pypdf (medium) - open
- [Dependabot #27](./dependabot/alert_27.md) - cryptography (medium) - open
- [Dependabot #26](./dependabot/alert_26.md) - pypdf (medium) - open
- [Dependabot #25](./dependabot/alert_25.md) - pypdf (medium) - open
- [Dependabot #24](./dependabot/alert_24.md) - pypdf (medium) - open
- [Dependabot #23](./dependabot/alert_23.md) - pypdf (medium) - open
- [Dependabot #22](./dependabot/alert_22.md) - pypdf (medium) - open
- [Dependabot #21](./dependabot/alert_21.md) - pypdf (medium) - open
- [Dependabot #20](./dependabot/alert_20.md) - pypdf (low) - open
- [Dependabot #19](./dependabot/alert_19.md) - pypdf (medium) - open
- [Dependabot #18](./dependabot/alert_18.md) - pypdf (medium) - open
- [Dependabot #17](./dependabot/alert_17.md) - pypdf (medium) - open
- [Dependabot #16](./dependabot/alert_16.md) - pypdf (medium) - open
- [Dependabot #15](./dependabot/alert_15.md) - pypdf (low) - open
- [Dependabot #14](./dependabot/alert_14.md) - pypdf (low) - open
- [Dependabot #13](./dependabot/alert_13.md) - pypdf (medium) - open
- [Dependabot #12](./dependabot/alert_12.md) - pypdf (medium) - open
- [Dependabot #11](./dependabot/alert_11.md) - pypdf (medium) - open
- [Dependabot #7](./dependabot/alert_7.md) - paramiko (low) - open

## Code Scanning Alerts
- [CodeScan #767](./codescan/alert_767.md) - py/bind-socket-all-network-interfaces (error) - open
- [CodeScan #766](./codescan/alert_766.md) - py/bind-socket-all-network-interfaces (error) - open
- [CodeScan #765](./codescan/alert_765.md) - py/bind-socket-all-network-interfaces (error) - open

Total issues downloaded: 4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[NITPICK] README content contains inconsistent or potentially misleading metrics (e.g. "🟢 Open Issues | 0" but many open Dependabot/CodeScan alerts listed). Update these counts to reflect reality or make clear they refer only to GitHub issues (not security alerts). Also consider removing or toning down marketing-language that describes rootkits/backdoors in operational terms (line 3) — at minimum flag it as research/security-tooling to reduce accidental misuse and legal/hosting risk.

# Repository: LazyOwn

**Description:** LazyOwn is a Red Team/security research framework with an AI-powered C&C. It includes components such as rootkits and backdoors intended for controlled, lawful security testing by qualified professionals. Use is subject to all applicable laws and platform terms of service.

| Metric | Value | Notes |
|--------|-------|-------|
| ⭐ Stars | 213 | Snapshot from GitHub at export time |
| 📥 Clones (last 14 days) | 518 | From GitHub traffic stats |
| 🟢 Open GitHub Issues | 0 | Application issues only (excludes security alerts) |
| 📋 Total GitHub Issues | 4 | Open + closed application issues |
| 🛡 Dependabot Open Alerts | 35 | Security dependency alerts |
| 🔍 CodeScan Open Alerts | 3 | Code scanning/security alerts |

## Issues
- [#84](./issue_84.md) - Lazynmap failing to execute (closed)
- [#30](./issue_30.md) - Please remove ngrok as a tunneling option as this tool violates the terms of service (closed)
- [#17](./issue_17.md) - Fix code scanning alert - Flask app is run in debug mode (closed)
- [#16](./issue_16.md) - Fix code scanning alert - Information exposure through an exception (closed)

Comment on lines +1 to +29
# Dependabot Alert #44: msgpack

- **State:** open
- **Severity:** high
- **CVE:** N/A
- **Created:** 2026-06-20T15:39:20Z
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/44

## Summary
MessagePack for Python: Out-of-bounds read / crash on Unpacker reuse after a caught error

## Description
### Impact

If the Unpacker is used repeatedly after an error occurs, the process may crash with a SEGV.

If the Unpacker is used repeatedly to unpack untrusted input from external sources, it may be vulnerable to a DoS attack.

### Patches

v1.2.1

### Workarounds

Users should create a new Unpacker instead of reusing the same Unpacker after an error occurs.

Applying the above patch can prevent SEGV, but reusing the Streaming Unpacker after it has encountered an error will not yield correct data. If an error occurs during Streaming Unpacking, the Stream and Streaming Unpacker should be discarded.

Therefore, this is not just a workaround but the correct solution. The above patch only prevents crashes from incorrect usage.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CRITICAL_BUG] This alert documents a MessagePack Unpacker SEGV (out-of-bounds read) when reusing an Unpacker after an error. Actionable steps: (1) Pin msgpack to the fixed version (v1.2.1) or higher in requirements/pyproject and publish a patch release. (2) Search codebase for any reuse of Streaming Unpacker/Unpacker and change code to instantiate a fresh Unpacker after any error. (3) Add unit/integration tests that feed malformed/untrusted inputs to prevent regressions and enable CI checks to run fuzz tests where feasible.

# Remediation Plan for Dependabot Alert #44 (msgpack)

1. **Pin msgpack to a safe version**

   - In your dependency management files (for example `requirements.txt`, `pyproject.toml`, or `Pipfile`), ensure msgpack is pinned to `>=1.2.1`:

   ```txt
   # requirements.txt
   msgpack>=1.2.1

Or, for Poetry:

# pyproject.toml
[tool.poetry.dependencies]
msgpack = ">=1.2.1"
  1. Avoid reusing an Unpacker after errors

    • Where you use streaming unpackers, ensure a new instance is created after any exception, instead of reusing the previous one. For example:
    import msgpack
    
    def safe_streaming_unpack(stream):
        unpacker = msgpack.Unpacker(stream, raw=False)
        for chunk in stream:
            try:
                unpacker.feed(chunk)
                for obj in unpacker:
                    yield obj
            except (msgpack.ExtraData, msgpack.FormatError, msgpack.StackError, msgpack.OutOfData, ValueError) as exc:
                # Discard the current unpacker and remaining data on error
                # to avoid undefined behavior and potential SEGV.
                # Optionally log `exc` here.
                break
  2. Add regression tests for malformed/untrusted inputs

    • Add tests that validate we don’t reuse an Unpacker after errors and that the application remains stable when given malformed data:
    # tests/test_msgpack_unpacker_safety.py
    import io
    import msgpack
    
    def test_unpacker_not_reused_after_error():
        bad_payload = b"\x91\xc1"  # malformed msgpack
    
        stream = io.BytesIO(bad_payload)
        unpacker = msgpack.Unpacker(stream, raw=False)
    
        # Trigger an error
        try:
            list(unpacker)
        except Exception:
            pass
    
        # Application logic should now discard this unpacker and
        # create a fresh one before continuing – assert that our
        # wrapper/helper does this instead of reusing it.
        # (Implement according to your actual API.)

Comment on lines +1 to +15
# Dependabot Alert #37: cryptography

- **State:** open
- **Severity:** high
- **CVE:** N/A
- **Created:** 2026-06-19T18:40:18Z
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/37

## Summary
Vulnerable OpenSSL included in cryptography wheels

## Description
pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in wheels prior to cryptograph 48.01 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20260609.txt.

If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CRITICAL_BUG] Alert describes vulnerable OpenSSL bundled in cryptography wheels. Actionable steps: (1) Upgrade cryptography to a version that contains the fixed OpenSSL (follow the advisory's minimum version). (2) If your CI/build process creates wheels from source (sdist), ensure your build environment uses an updated OpenSSL and rebuild artifacts. (3) Document in repo/deployment notes the required cryptography minimum and any platform-specific build steps so downstream builders are not inadvertently vulnerable.

# Dependabot Alert #37: cryptography

- **State:** open
- **Severity:** high
- **CVE:** N/A
- **Created:** 2026-06-19T18:40:18Z
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/37

## Summary
Vulnerable OpenSSL included in cryptography wheels

## Description
pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in wheels prior to cryptography 48.0.1 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20260609.txt.

### Recommended actions
1. **Upgrade dependency**
   - Update all `requirements*.txt` / `pyproject.toml` / `setup.cfg` entries to pin a safe cryptography version:
     ```toml
     # pyproject.toml example
     [project]
     dependencies = [
       "cryptography>=48.0.1",
       # ...other deps
     ]
     ```
     ```txt
     # requirements.txt example
     cryptography>=48.0.1
     ```

2. **Secure wheel builds from source (sdist)**
   - If you build wheels from source in CI (e.g. for offline mirrors or internal indices), ensure the build image uses a patched OpenSSL and fail builds otherwise. For example, in a shell pre-check step:
     ```bash
     openssl version
     # optionally enforce a minimum version
     python - << 'EOF'
     import ssl
     major, minor, fix = ssl.OPENSSL_VERSION_INFO[:3]
     if (major, minor) < (3, 3):
         raise SystemExit("OpenSSL >= 3.3.0 is required to build cryptography wheels securely")
     EOF
     ```

3. **Document minimum versions and build requirements**
   - In `docs/security.md` or your deployment README, add a note so downstream consumers do not unknowingly use insecure wheels:
     ```md
     ## Cryptography / OpenSSL requirements

     - `cryptography>=48.0.1` is required to ensure bundled OpenSSL is not affected by the 2026-06-09 advisory.
     - If building from source (sdist), the build environment **must** use an OpenSSL version that includes the fix described in
       https://openssl-library.org/news/secadv/20260609.txt.
     ```

Comment thread issues/issue_84.md
Comment on lines +1 to +26
# Issue #84: Lazynmap failing to execute

- **State:** closed
- **Created:** 2025-01-31T17:03:11Z
- **Updated:** 2025-02-05T03:16:37Z
- **Labels:** None

---

**Describe the bug**
When executing the `run lazynmap` command, an error is generated indicating that `No such file or directory` is present in /home/USER/LazyOwn/sessions/logs/command_/home/USER/LazyOwn/modules/lazynmap.shoutputBigBang.htb.txt

**To Reproduce**
Steps to reproduce the behavior:
1. Assign RHOST IP
2. Execute `run lazynmap`


**Expected behavior**
LazyNmap should run successfully

**Screenshots**
N/A

**Desktop (please complete the following information):**
- OS: Ubuntu 24.04.1 LTS

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[NITPICK] Issue content includes a full absolute path on a developer machine (/home/USER/LazyOwn/...). Sanitize or normalize local paths (use placeholders like <REPO_ROOT> or $REPO_HOME) before committing snapshots to avoid leaking local directory conventions or usernames.

10. **Describe the bug**
11. When executing the `run lazynmap` command, an error is generated indicating that `No such file or directory` is present in `<REPO_ROOT>/sessions/logs/command_<REPO_ROOT>/modules/lazynmap.shoutputBigBang.htb.txt`

Comment on lines +1 to +13
# Dependabot Alert #7: paramiko

- **State:** open
- **Severity:** low
- **CVE:** CVE-2026-44405
- **Created:** 2026-06-06T17:08:16Z
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/7

## Summary
Paramiko rsakey.py allows the SHA-1 algorithm

## Description
In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[VALIDATION] Paramiko rsakey.py allowing SHA-1 is flagged. Actionable steps: (1) Audit code that verifies signatures or that constructs keys to ensure it does not accept/choose SHA-1. (2) Update Paramiko to the patched version and add explicit policy/configuration to reject SHA-1 for production uses. (3) Add checks to crypto-using codepaths to fail if weak algorithms are negotiated.

## Remediation Guidance

- Upgrade `paramiko` to a version >= 4.0.1 (or the first release that includes commit `a448945`).
- In any code that constructs or verifies RSA keys or signatures via Paramiko, explicitly disallow SHA-1, for example by:
  - Enforcing `ssh-rsa-sha2-256` / `ssh-rsa-sha2-512` (or stronger) host key algorithms in SSH client/server configuration.
  - Rejecting connections that negotiate `ssh-rsa` (SHA-1–based) algorithms.
- Add application-level checks around Paramiko usage to fail-fast if SHA-1 is selected during key exchange or signature verification, and log these events for monitoring.

@pantoaibot

pantoaibot Bot commented Jun 28, 2026

Copy link
Copy Markdown

Reviewed up to commit:31f295b35f6898cbed9a289a2869261de2411018

Additional Suggestion
Others - Many Dependabot alerts target pypdf with various memory exhaustion/infinite-loop vulnerabilities across versions. Actionable remediation plan: (1) Define and apply a single upgrade policy (e.g., bump pypdf to the minimal version that fixes all listed CVEs — use the highest fixed version referenced across alerts), update dependency files (requirements.txt/pyproject.lock), and run full test-suite. (2) Where immediate upgrade isn't possible, implement runtime mitigations: parse PDFs with strict mode, apply per-file memory and CPU timeouts, run PDF parsing in isolated workers/processes with resource limits, and sanitize/limit inputs. (3) Add automated dependency scanning and an assignable issue board for security alerts so maintainers can triage and remediate high-severity items quickly.
## Remediation Plan for pypdf & Related Alerts

1. **Unify pypdf Version Across the Project**
   - Inspect all dependency manifests and locks:
     - `requirements.txt`
     - `requirements-*.txt` (if any)
     - `pyproject.toml` / `poetry.lock`
     - `Pipfile` / `Pipfile.lock`
   - Set `pypdf` to a single version that is **>= 6.13.3** (covers all listed CVEs and advisories, including 6.13.3 and 6.13.0+ fixes):

     ```txt
     # requirements.txt
     pypdf>=6.13.3
     ```

   - Regenerate lock files as appropriate for the chosen tool (pip-compile/poetry/pipenv) and run the full test suite.

2. **Runtime Mitigations (for services handling untrusted PDFs)**

   In the main PDF-processing service/module (example Python sketch):

   ```python
   # pdf_processing.py
   import multiprocessing
   import resource
   import signal
   from contextlib import contextmanager

   from pypdf import PdfReader
   import pypdf


   # Align with upstream hardening guidance
   pypdf.filters.LZW_MAX_OUTPUT_LENGTH = 75_000_000


   def _set_resource_limits(memory_bytes: int, cpu_seconds: int) -> None:
       # POSIX-only; wrap/guard for other platforms
       resource.setrlimit(resource.RLIMIT_AS, (memory_bytes, memory_bytes))
       resource.setrlimit(resource.RLIMIT_CPU, (cpu_seconds, cpu_seconds))


   def _init_worker(memory_bytes: int, cpu_seconds: int) -> None:
       _set_resource_limits(memory_bytes, cpu_seconds)
       signal.signal(signal.SIGALRM, lambda *_: (_ for _ in ()).throw(TimeoutError()))


   @contextmanager
   def _pdf_reader(path: str):
       # Always use strict mode to avoid many non-strict recovery paths
       reader = PdfReader(path, strict=True)
       try:
           yield reader
       finally:
           # Ensure file handles are closed even on parse errors
           if hasattr(reader, "stream"):
               reader.stream.close()


   def _extract_text_worker(path: str) -> str:
       with _pdf_reader(path) as reader:
           text_chunks = []
           for page in reader.pages:
               # Avoid expensive layout=true unless strictly needed
               text_chunks.append(page.extract_text())
           return "\n".join(text_chunks)


   def safe_extract_text(path: str, memory_bytes: int = 512 * 1024 * 1024, cpu_seconds: int = 10) -> str:
       """Extract text from an untrusted PDF with memory/CPU limits."""
       with multiprocessing.Pool(
           processes=1,
           initializer=_init_worker,
           initargs=(memory_bytes, cpu_seconds),
       ) as pool:
           async_result = pool.apply_async(_extract_text_worker, (path,))

           try:
               return async_result.get(timeout=cpu_seconds + 5)
           except (TimeoutError, multiprocessing.context.TimeoutError):
               pool.terminate()
               raise
  1. Security Issues Board & Automation

    Add an internal SECURITY.md section or engineering runbook entry describing how Dependabot alerts like those under issues/dependabot/ are triaged and closed. Example GitHub configuration (outside this snapshot) could include:

    # .github/dependabot.yml
    version: 2
    updates:
      - package-ecosystem: "pip"
        directory: "/"
        schedule:
          interval: "daily"
        open-pull-requests-limit: 10
        labels:
          - "security"
          - "dependabot"
        reviewers:
          - "@lazyown/security-team"

    And a saved project/board view filtered on:

    • is:issue label:security for general security work
    • is:issue label:dependabot for dependency-related remediations

    This keeps the generated issues/ snapshot aligned with an actionable remediation workflow in the main repository.

 - CodeQL alerts report binding sockets to all network interfaces (py/bind-socket-all-network-interfaces). Actionable steps: (1) Audit server/network code that binds sockets; avoid binding to 0.0.0.0 unless explicitly required. Bind to configured interface(s) or localhost by default and provide an opt-in configuration for public binding. (2) Add authentication/ACLs, and fail closed if configuration is missing. (3) Update the CodeScan alert files to include file references/stack traces or PR links so developers can jump directly to the vulnerable code and a recommended patch.

```md
## Remediation Guidance for py/bind-socket-all-network-interfaces Alerts

These CodeQL alerts indicate server code binding sockets to `0.0.0.0` (all interfaces). To reduce exposure, document concrete remediation steps alongside each alert.

### 1. Link to Source Locations

Augment each alert file (`issues/codescan/alert_765.md`, `alert_766.md`, `alert_767.md`) with references to the affected files and lines, for example:

```md
## Affected Code

- `lazyown/server/http_server.py:120` – `server_socket.bind(("0.0.0.0", port))`
- `lazyown/agents/listener.py:45` – `listener.bind(("0.0.0.0", listen_port))`

(Replace with the real paths and line numbers from the CodeQL UI.)

2. Recommended Code Changes (Pattern)

Whenever possible, recommend binding to a configured interface or localhost by default, with an explicit opt-in for public binding. For example, in the project’s server configuration docs or comments around the binding code, reference a pattern like:

# config.py
from ipaddress import ip_address

DEFAULT_BIND_HOST = "127.0.0.1"  # safer default


def get_bind_host(env_value: str | None) -> str:
    host = env_value or DEFAULT_BIND_HOST
    # Fail closed on obviously unsafe values unless explicitly allowed
    if host == "0.0.0.0" and not bool(int(os.getenv("ALLOW_PUBLIC_BIND", "0"))):
        raise ValueError(
            "Refusing to bind to 0.0.0.0 without ALLOW_PUBLIC_BIND=1. "
            "Use a specific interface or localhost."
        )
    # Basic validation
    ip_address(host)  # raises ValueError if invalid
    return host

And in the socket setup code:

# server.py
import os
import socket
from .config import get_bind_host

bind_host = get_bind_host(os.getenv("LAZYOWN_BIND_HOST"))
port = int(os.getenv("LAZYOWN_PORT", "8080"))

server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_socket.bind((bind_host, port))

3. Authentication / Access Control Checklist

In each alert markdown, add a short checklist for the owning team:

## Remediation Checklist

- [ ] Confirm that binding to `0.0.0.0` is strictly required for this component.
- [ ] If not required, update the code to bind to `127.0.0.1` or a specific interface.
- [ ] Ensure that any listener exposed on non-local interfaces is:
  - [ ] Behind authentication or access-control (e.g., API key, mTLS, VPN, or firewall rules).
  - [ ] Not running in debug/development mode in production.
  - [ ] Documented in threat modeling / attack surface inventory.

This keeps the exported snapshot actionable for developers who open these markdown files without needing to navigate back to the GitHub UI first.

 - This PR adds a large auto-generated snapshot of security issues; recommend: (1) Add a short summary file (SECURITY_SUMMARY.md) that aggregates highest-priority actions and assigns owners/next steps so maintainers can triage quickly. (2) Add metadata (scan date, tool versions) to the generated files to make them actionable and traceable. (3) Consider excluding sensitive runtime details (absolute local paths) and including direct links/commit hashes or code locations for each alert to speed remediation.

```md
# SECURITY_SUMMARY

- **Repository:** LazyOwn
- **Security snapshot generated:** 2026-06-28
- **Source tools:**
  - GitHub Issues API
  - Dependabot Alerts
  - GitHub Code Scanning (CodeQL)

## Top Priority Actions

### 1. Cryptography / OpenSSL
- **Alerts:**
  - [Dependabot #37](./dependabot/alert_37.md) – Vulnerable OpenSSL bundled in cryptography wheels (high)
- **Risk:** Remote code execution / TLS compromise via vulnerable OpenSSL in statically linked wheels.
- **Owner:** Platform / Libraries team
- **Next steps:**
  - Upgrade `cryptography` to a version 
    - ≥ 48.0.1 (or first version documented as including fixed OpenSSL).
  - Ensure runtime images do not ship older cryptography wheels.

### 2. msgpack
- **Alerts:**
  - [Dependabot #44](./dependabot/alert_44.md) – Out-of-bounds read / crash on Unpacker reuse (high)
- **Risk:** DoS via SEGV when unpacking untrusted data.
- **Owner:** Backend / Frameworks team
- **Next steps:**
  - Upgrade `msgpack` to **v1.2.1** or later.
  - Audit code to avoid reusing `Unpacker` after errors.

### 3. cryptography (buffer handling)
- **Alerts:**
  - [Dependabot #27](./dependabot/alert_27.md) – Buffer overflow with non‑contiguous buffers (medium)
- **Risk:** Potential memory corruption; possible RCE depending on usage.
- **Owner:** Crypto / Security library maintainers
- **Next steps:**
  - Upgrade `cryptography` to the patched version referenced by the advisory.
  - Avoid passing sliced or reversed buffers (e.g. `buf[::-1]`) into `Hash.update()` and similar APIs until upgraded.

### 4. pypdf
- **Alerts:** Multiple ([#11](./dependabot/alert_11.md) – [#43](./dependabot/alert_43.md)) – RAM exhaustion, infinite loops, long runtimes.
- **Risk:** DoS via malicious PDFs (unbounded CPU/RAM usage).
- **Owner:** PDF / reporting / document processing owners
- **Next steps:**
  - Plan upgrade path to at least **pypdf 6.13.3** (or latest available) which closes the referenced CVEs.
  - Apply recommended configuration hardening from advisories (e.g. strict mode, maximum lengths).

### 5. torch
- **Alerts:**
  - [#33](./dependabot/alert_33.md), [#34](./dependabot/alert_34.md) – Memory corruption in `torch.jit.script` (low)
- **Risk:** Local memory corruption when JIT‑compiling untrusted or dynamic models.
- **Owner:** ML / AI team
- **Next steps:**
  - Upgrade PyTorch to a version where CVE‑2025‑3000 is fixed.
  - Avoid JIT‑compiling untrusted user models.

### 6. paramiko
- **Alerts:**
  - [#7](./dependabot/alert_7.md) – SHA‑1 allowed in `rsakey.py` (low)
- **Risk:** Weakened integrity of SSH operations when SHA‑1 is selected.
- **Owner:** Infrastructure / Ops
- **Next steps:**
  - Upgrade `paramiko` to a version that disables SHA‑1 here.
  - Enforce strong algorithms in SSH configs.

## Traceability Metadata

> Note: The files in `issues/`, `issues/dependabot/`, and `issues/codescan/` are auto‑generated.
>
> - **Snapshot run date:** 2026‑06‑28
> - **GitHub repository:** `grisuno/LazyOwn`
> - **Generator script:** `security_issue_progressive.sh`
> - **Data sources:** GitHub REST/GraphQL APIs for Issues, Dependabot, and Code Scanning.
> - **Assumption:** No local file paths or other sensitive runtime details are stored in these markdown exports; alerts link back to GitHub via the `URL` field for precise code locations and commits.

Reviewed by Panto AI

@grisuno grisuno closed this Jun 29, 2026
@grisuno grisuno deleted the security-export-2026-06-28-20260628_164956 branch June 29, 2026 19:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant