Security Export: Issues, Dependabot & CodeScan Alerts (2026-06-28)#141
Security Export: Issues, Dependabot & CodeScan Alerts (2026-06-28)#141grisuno wants to merge 1 commit into
Conversation
|
PR Summary: Summary: Adds a new issues/ directory documenting repository issues, Dependabot alerts (35) and CodeQL code-scanning alerts (3). No code changes — this PR is a security export/report providing per-alert details, CVEs, patches and workarounds. Key changes:
Impact and recommendations:
|
| # Repository: LazyOwn | ||
|
|
||
| **Description:** LazyOwn RedTeam/APT Framework is the first RedTeam Framework with an AI-powered C&C, featuring rootkits to conceal campaigns, undetectable malleable implants compatible with Windows/Linux/Mac OSX, and self-configuring backdoors. With its Web interface and powerful Console Client, it is the best combination for your Autonomous RedTeam/APT campaigns. | ||
|
|
||
| | Metric | Value | | ||
| |--------|-------| | ||
| | ⭐ Stars | 213 | | ||
| | 📥 Clones (last 14 days) | 518 | | ||
| | 🟢 Open Issues | 0 | | ||
| | 📋 Total Issues | 4 | | ||
| | 🛡 Dependabot Open Alerts | 35 | | ||
| | 🔍 CodeScan Open Alerts | 3 | | ||
|
|
||
| ## Issues | ||
| - [#84](./issue_84.md) - Lazynmap failing to execute (closed) | ||
| - [#30](./issue_30.md) - Please remove ngrok as a tunneling option as this tool violates the terms of service (closed) | ||
| - [#17](./issue_17.md) - Fix code scanning alert - Flask app is run in debug mode (closed) | ||
| - [#16](./issue_16.md) - Fix code scanning alert - Information exposure through an exception (closed) | ||
|
|
||
| ## Dependabot Alerts | ||
| - [Dependabot #44](./dependabot/alert_44.md) - msgpack (high) - open | ||
| - [Dependabot #43](./dependabot/alert_43.md) - pypdf (medium) - open | ||
| - [Dependabot #42](./dependabot/alert_42.md) - pypdf (medium) - open | ||
| - [Dependabot #41](./dependabot/alert_41.md) - pypdf (medium) - open | ||
| - [Dependabot #40](./dependabot/alert_40.md) - pypdf (medium) - open | ||
| - [Dependabot #39](./dependabot/alert_39.md) - pypdf (medium) - open | ||
| - [Dependabot #38](./dependabot/alert_38.md) - pypdf (medium) - open | ||
| - [Dependabot #37](./dependabot/alert_37.md) - cryptography (high) - open | ||
| - [Dependabot #36](./dependabot/alert_36.md) - pypdf (medium) - open | ||
| - [Dependabot #35](./dependabot/alert_35.md) - pypdf (medium) - open | ||
| - [Dependabot #34](./dependabot/alert_34.md) - torch (low) - open | ||
| - [Dependabot #33](./dependabot/alert_33.md) - torch (low) - open | ||
| - [Dependabot #32](./dependabot/alert_32.md) - pypdf (medium) - open | ||
| - [Dependabot #31](./dependabot/alert_31.md) - pypdf (medium) - open | ||
| - [Dependabot #30](./dependabot/alert_30.md) - pypdf (medium) - open | ||
| - [Dependabot #29](./dependabot/alert_29.md) - pypdf (medium) - open | ||
| - [Dependabot #28](./dependabot/alert_28.md) - pypdf (medium) - open | ||
| - [Dependabot #27](./dependabot/alert_27.md) - cryptography (medium) - open | ||
| - [Dependabot #26](./dependabot/alert_26.md) - pypdf (medium) - open | ||
| - [Dependabot #25](./dependabot/alert_25.md) - pypdf (medium) - open | ||
| - [Dependabot #24](./dependabot/alert_24.md) - pypdf (medium) - open | ||
| - [Dependabot #23](./dependabot/alert_23.md) - pypdf (medium) - open | ||
| - [Dependabot #22](./dependabot/alert_22.md) - pypdf (medium) - open | ||
| - [Dependabot #21](./dependabot/alert_21.md) - pypdf (medium) - open | ||
| - [Dependabot #20](./dependabot/alert_20.md) - pypdf (low) - open | ||
| - [Dependabot #19](./dependabot/alert_19.md) - pypdf (medium) - open | ||
| - [Dependabot #18](./dependabot/alert_18.md) - pypdf (medium) - open | ||
| - [Dependabot #17](./dependabot/alert_17.md) - pypdf (medium) - open | ||
| - [Dependabot #16](./dependabot/alert_16.md) - pypdf (medium) - open | ||
| - [Dependabot #15](./dependabot/alert_15.md) - pypdf (low) - open | ||
| - [Dependabot #14](./dependabot/alert_14.md) - pypdf (low) - open | ||
| - [Dependabot #13](./dependabot/alert_13.md) - pypdf (medium) - open | ||
| - [Dependabot #12](./dependabot/alert_12.md) - pypdf (medium) - open | ||
| - [Dependabot #11](./dependabot/alert_11.md) - pypdf (medium) - open | ||
| - [Dependabot #7](./dependabot/alert_7.md) - paramiko (low) - open | ||
|
|
||
| ## Code Scanning Alerts | ||
| - [CodeScan #767](./codescan/alert_767.md) - py/bind-socket-all-network-interfaces (error) - open | ||
| - [CodeScan #766](./codescan/alert_766.md) - py/bind-socket-all-network-interfaces (error) - open | ||
| - [CodeScan #765](./codescan/alert_765.md) - py/bind-socket-all-network-interfaces (error) - open | ||
|
|
||
| Total issues downloaded: 4 |
There was a problem hiding this comment.
[NITPICK] README content contains inconsistent or potentially misleading metrics (e.g. "🟢 Open Issues | 0" but many open Dependabot/CodeScan alerts listed). Update these counts to reflect reality or make clear they refer only to GitHub issues (not security alerts). Also consider removing or toning down marketing-language that describes rootkits/backdoors in operational terms (line 3) — at minimum flag it as research/security-tooling to reduce accidental misuse and legal/hosting risk.
# Repository: LazyOwn
**Description:** LazyOwn is a Red Team/security research framework with an AI-powered C&C. It includes components such as rootkits and backdoors intended for controlled, lawful security testing by qualified professionals. Use is subject to all applicable laws and platform terms of service.
| Metric | Value | Notes |
|--------|-------|-------|
| ⭐ Stars | 213 | Snapshot from GitHub at export time |
| 📥 Clones (last 14 days) | 518 | From GitHub traffic stats |
| 🟢 Open GitHub Issues | 0 | Application issues only (excludes security alerts) |
| 📋 Total GitHub Issues | 4 | Open + closed application issues |
| 🛡 Dependabot Open Alerts | 35 | Security dependency alerts |
| 🔍 CodeScan Open Alerts | 3 | Code scanning/security alerts |
## Issues
- [#84](./issue_84.md) - Lazynmap failing to execute (closed)
- [#30](./issue_30.md) - Please remove ngrok as a tunneling option as this tool violates the terms of service (closed)
- [#17](./issue_17.md) - Fix code scanning alert - Flask app is run in debug mode (closed)
- [#16](./issue_16.md) - Fix code scanning alert - Information exposure through an exception (closed)| # Dependabot Alert #44: msgpack | ||
|
|
||
| - **State:** open | ||
| - **Severity:** high | ||
| - **CVE:** N/A | ||
| - **Created:** 2026-06-20T15:39:20Z | ||
| - **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/44 | ||
|
|
||
| ## Summary | ||
| MessagePack for Python: Out-of-bounds read / crash on Unpacker reuse after a caught error | ||
|
|
||
| ## Description | ||
| ### Impact | ||
|
|
||
| If the Unpacker is used repeatedly after an error occurs, the process may crash with a SEGV. | ||
|
|
||
| If the Unpacker is used repeatedly to unpack untrusted input from external sources, it may be vulnerable to a DoS attack. | ||
|
|
||
| ### Patches | ||
|
|
||
| v1.2.1 | ||
|
|
||
| ### Workarounds | ||
|
|
||
| Users should create a new Unpacker instead of reusing the same Unpacker after an error occurs. | ||
|
|
||
| Applying the above patch can prevent SEGV, but reusing the Streaming Unpacker after it has encountered an error will not yield correct data. If an error occurs during Streaming Unpacking, the Stream and Streaming Unpacker should be discarded. | ||
|
|
||
| Therefore, this is not just a workaround but the correct solution. The above patch only prevents crashes from incorrect usage. |
There was a problem hiding this comment.
[CRITICAL_BUG] This alert documents a MessagePack Unpacker SEGV (out-of-bounds read) when reusing an Unpacker after an error. Actionable steps: (1) Pin msgpack to the fixed version (v1.2.1) or higher in requirements/pyproject and publish a patch release. (2) Search codebase for any reuse of Streaming Unpacker/Unpacker and change code to instantiate a fresh Unpacker after any error. (3) Add unit/integration tests that feed malformed/untrusted inputs to prevent regressions and enable CI checks to run fuzz tests where feasible.
# Remediation Plan for Dependabot Alert #44 (msgpack)
1. **Pin msgpack to a safe version**
- In your dependency management files (for example `requirements.txt`, `pyproject.toml`, or `Pipfile`), ensure msgpack is pinned to `>=1.2.1`:
```txt
# requirements.txt
msgpack>=1.2.1Or, for Poetry:
# pyproject.toml
[tool.poetry.dependencies]
msgpack = ">=1.2.1"-
Avoid reusing an Unpacker after errors
- Where you use streaming unpackers, ensure a new instance is created after any exception, instead of reusing the previous one. For example:
import msgpack def safe_streaming_unpack(stream): unpacker = msgpack.Unpacker(stream, raw=False) for chunk in stream: try: unpacker.feed(chunk) for obj in unpacker: yield obj except (msgpack.ExtraData, msgpack.FormatError, msgpack.StackError, msgpack.OutOfData, ValueError) as exc: # Discard the current unpacker and remaining data on error # to avoid undefined behavior and potential SEGV. # Optionally log `exc` here. break
-
Add regression tests for malformed/untrusted inputs
- Add tests that validate we don’t reuse an
Unpackerafter errors and that the application remains stable when given malformed data:
# tests/test_msgpack_unpacker_safety.py import io import msgpack def test_unpacker_not_reused_after_error(): bad_payload = b"\x91\xc1" # malformed msgpack stream = io.BytesIO(bad_payload) unpacker = msgpack.Unpacker(stream, raw=False) # Trigger an error try: list(unpacker) except Exception: pass # Application logic should now discard this unpacker and # create a fresh one before continuing – assert that our # wrapper/helper does this instead of reusing it. # (Implement according to your actual API.)
- Add tests that validate we don’t reuse an
| # Dependabot Alert #37: cryptography | ||
|
|
||
| - **State:** open | ||
| - **Severity:** high | ||
| - **CVE:** N/A | ||
| - **Created:** 2026-06-19T18:40:18Z | ||
| - **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/37 | ||
|
|
||
| ## Summary | ||
| Vulnerable OpenSSL included in cryptography wheels | ||
|
|
||
| ## Description | ||
| pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in wheels prior to cryptograph 48.01 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20260609.txt. | ||
|
|
||
| If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions. |
There was a problem hiding this comment.
[CRITICAL_BUG] Alert describes vulnerable OpenSSL bundled in cryptography wheels. Actionable steps: (1) Upgrade cryptography to a version that contains the fixed OpenSSL (follow the advisory's minimum version). (2) If your CI/build process creates wheels from source (sdist), ensure your build environment uses an updated OpenSSL and rebuild artifacts. (3) Document in repo/deployment notes the required cryptography minimum and any platform-specific build steps so downstream builders are not inadvertently vulnerable.
# Dependabot Alert #37: cryptography
- **State:** open
- **Severity:** high
- **CVE:** N/A
- **Created:** 2026-06-19T18:40:18Z
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/37
## Summary
Vulnerable OpenSSL included in cryptography wheels
## Description
pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in wheels prior to cryptography 48.0.1 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20260609.txt.
### Recommended actions
1. **Upgrade dependency**
- Update all `requirements*.txt` / `pyproject.toml` / `setup.cfg` entries to pin a safe cryptography version:
```toml
# pyproject.toml example
[project]
dependencies = [
"cryptography>=48.0.1",
# ...other deps
]
```
```txt
# requirements.txt example
cryptography>=48.0.1
```
2. **Secure wheel builds from source (sdist)**
- If you build wheels from source in CI (e.g. for offline mirrors or internal indices), ensure the build image uses a patched OpenSSL and fail builds otherwise. For example, in a shell pre-check step:
```bash
openssl version
# optionally enforce a minimum version
python - << 'EOF'
import ssl
major, minor, fix = ssl.OPENSSL_VERSION_INFO[:3]
if (major, minor) < (3, 3):
raise SystemExit("OpenSSL >= 3.3.0 is required to build cryptography wheels securely")
EOF
```
3. **Document minimum versions and build requirements**
- In `docs/security.md` or your deployment README, add a note so downstream consumers do not unknowingly use insecure wheels:
```md
## Cryptography / OpenSSL requirements
- `cryptography>=48.0.1` is required to ensure bundled OpenSSL is not affected by the 2026-06-09 advisory.
- If building from source (sdist), the build environment **must** use an OpenSSL version that includes the fix described in
https://openssl-library.org/news/secadv/20260609.txt.
```| # Issue #84: Lazynmap failing to execute | ||
|
|
||
| - **State:** closed | ||
| - **Created:** 2025-01-31T17:03:11Z | ||
| - **Updated:** 2025-02-05T03:16:37Z | ||
| - **Labels:** None | ||
|
|
||
| --- | ||
|
|
||
| **Describe the bug** | ||
| When executing the `run lazynmap` command, an error is generated indicating that `No such file or directory` is present in /home/USER/LazyOwn/sessions/logs/command_/home/USER/LazyOwn/modules/lazynmap.shoutputBigBang.htb.txt | ||
|
|
||
| **To Reproduce** | ||
| Steps to reproduce the behavior: | ||
| 1. Assign RHOST IP | ||
| 2. Execute `run lazynmap` | ||
|
|
||
|
|
||
| **Expected behavior** | ||
| LazyNmap should run successfully | ||
|
|
||
| **Screenshots** | ||
| N/A | ||
|
|
||
| **Desktop (please complete the following information):** | ||
| - OS: Ubuntu 24.04.1 LTS |
There was a problem hiding this comment.
[NITPICK] Issue content includes a full absolute path on a developer machine (/home/USER/LazyOwn/...). Sanitize or normalize local paths (use placeholders like <REPO_ROOT> or $REPO_HOME) before committing snapshots to avoid leaking local directory conventions or usernames.
10. **Describe the bug**
11. When executing the `run lazynmap` command, an error is generated indicating that `No such file or directory` is present in `<REPO_ROOT>/sessions/logs/command_<REPO_ROOT>/modules/lazynmap.shoutputBigBang.htb.txt`| # Dependabot Alert #7: paramiko | ||
|
|
||
| - **State:** open | ||
| - **Severity:** low | ||
| - **CVE:** CVE-2026-44405 | ||
| - **Created:** 2026-06-06T17:08:16Z | ||
| - **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/7 | ||
|
|
||
| ## Summary | ||
| Paramiko rsakey.py allows the SHA-1 algorithm | ||
|
|
||
| ## Description | ||
| In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm. |
There was a problem hiding this comment.
[VALIDATION] Paramiko rsakey.py allowing SHA-1 is flagged. Actionable steps: (1) Audit code that verifies signatures or that constructs keys to ensure it does not accept/choose SHA-1. (2) Update Paramiko to the patched version and add explicit policy/configuration to reject SHA-1 for production uses. (3) Add checks to crypto-using codepaths to fail if weak algorithms are negotiated.
## Remediation Guidance
- Upgrade `paramiko` to a version >= 4.0.1 (or the first release that includes commit `a448945`).
- In any code that constructs or verifies RSA keys or signatures via Paramiko, explicitly disallow SHA-1, for example by:
- Enforcing `ssh-rsa-sha2-256` / `ssh-rsa-sha2-512` (or stronger) host key algorithms in SSH client/server configuration.
- Rejecting connections that negotiate `ssh-rsa` (SHA-1–based) algorithms.
- Add application-level checks around Paramiko usage to fail-fast if SHA-1 is selected during key exchange or signature verification, and log these events for monitoring.|
Reviewed up to commit:31f295b35f6898cbed9a289a2869261de2411018 Additional SuggestionOthers- Many Dependabot alerts target pypdf with various memory exhaustion/infinite-loop vulnerabilities across versions. Actionable remediation plan: (1) Define and apply a single upgrade policy (e.g., bump pypdf to the minimal version that fixes all listed CVEs — use the highest fixed version referenced across alerts), update dependency files (requirements.txt/pyproject.lock), and run full test-suite. (2) Where immediate upgrade isn't possible, implement runtime mitigations: parse PDFs with strict mode, apply per-file memory and CPU timeouts, run PDF parsing in isolated workers/processes with resource limits, and sanitize/limit inputs. (3) Add automated dependency scanning and an assignable issue board for security alerts so maintainers can triage and remediate high-severity items quickly.## Remediation Plan for pypdf & Related Alerts
1. **Unify pypdf Version Across the Project**
- Inspect all dependency manifests and locks:
- `requirements.txt`
- `requirements-*.txt` (if any)
- `pyproject.toml` / `poetry.lock`
- `Pipfile` / `Pipfile.lock`
- Set `pypdf` to a single version that is **>= 6.13.3** (covers all listed CVEs and advisories, including 6.13.3 and 6.13.0+ fixes):
```txt
# requirements.txt
pypdf>=6.13.3
```
- Regenerate lock files as appropriate for the chosen tool (pip-compile/poetry/pipenv) and run the full test suite.
2. **Runtime Mitigations (for services handling untrusted PDFs)**
In the main PDF-processing service/module (example Python sketch):
```python
# pdf_processing.py
import multiprocessing
import resource
import signal
from contextlib import contextmanager
from pypdf import PdfReader
import pypdf
# Align with upstream hardening guidance
pypdf.filters.LZW_MAX_OUTPUT_LENGTH = 75_000_000
def _set_resource_limits(memory_bytes: int, cpu_seconds: int) -> None:
# POSIX-only; wrap/guard for other platforms
resource.setrlimit(resource.RLIMIT_AS, (memory_bytes, memory_bytes))
resource.setrlimit(resource.RLIMIT_CPU, (cpu_seconds, cpu_seconds))
def _init_worker(memory_bytes: int, cpu_seconds: int) -> None:
_set_resource_limits(memory_bytes, cpu_seconds)
signal.signal(signal.SIGALRM, lambda *_: (_ for _ in ()).throw(TimeoutError()))
@contextmanager
def _pdf_reader(path: str):
# Always use strict mode to avoid many non-strict recovery paths
reader = PdfReader(path, strict=True)
try:
yield reader
finally:
# Ensure file handles are closed even on parse errors
if hasattr(reader, "stream"):
reader.stream.close()
def _extract_text_worker(path: str) -> str:
with _pdf_reader(path) as reader:
text_chunks = []
for page in reader.pages:
# Avoid expensive layout=true unless strictly needed
text_chunks.append(page.extract_text())
return "\n".join(text_chunks)
def safe_extract_text(path: str, memory_bytes: int = 512 * 1024 * 1024, cpu_seconds: int = 10) -> str:
"""Extract text from an untrusted PDF with memory/CPU limits."""
with multiprocessing.Pool(
processes=1,
initializer=_init_worker,
initargs=(memory_bytes, cpu_seconds),
) as pool:
async_result = pool.apply_async(_extract_text_worker, (path,))
try:
return async_result.get(timeout=cpu_seconds + 5)
except (TimeoutError, multiprocessing.context.TimeoutError):
pool.terminate()
raise
(Replace with the real paths and line numbers from the CodeQL UI.) 2. Recommended Code Changes (Pattern)Whenever possible, recommend binding to a configured interface or localhost by default, with an explicit opt-in for public binding. For example, in the project’s server configuration docs or comments around the binding code, reference a pattern like: # config.py
from ipaddress import ip_address
DEFAULT_BIND_HOST = "127.0.0.1" # safer default
def get_bind_host(env_value: str | None) -> str:
host = env_value or DEFAULT_BIND_HOST
# Fail closed on obviously unsafe values unless explicitly allowed
if host == "0.0.0.0" and not bool(int(os.getenv("ALLOW_PUBLIC_BIND", "0"))):
raise ValueError(
"Refusing to bind to 0.0.0.0 without ALLOW_PUBLIC_BIND=1. "
"Use a specific interface or localhost."
)
# Basic validation
ip_address(host) # raises ValueError if invalid
return hostAnd in the socket setup code: # server.py
import os
import socket
from .config import get_bind_host
bind_host = get_bind_host(os.getenv("LAZYOWN_BIND_HOST"))
port = int(os.getenv("LAZYOWN_PORT", "8080"))
server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_socket.bind((bind_host, port))3. Authentication / Access Control ChecklistIn each alert markdown, add a short checklist for the owning team: ## Remediation Checklist
- [ ] Confirm that binding to `0.0.0.0` is strictly required for this component.
- [ ] If not required, update the code to bind to `127.0.0.1` or a specific interface.
- [ ] Ensure that any listener exposed on non-local interfaces is:
- [ ] Behind authentication or access-control (e.g., API key, mTLS, VPN, or firewall rules).
- [ ] Not running in debug/development mode in production.
- [ ] Documented in threat modeling / attack surface inventory.This keeps the exported snapshot actionable for developers who open these markdown files without needing to navigate back to the GitHub UI first. |
Automated security export generated on 20260628_164956.
This PR adds a snapshot under
issues/with:issue_<n>.mdissues/dependabot/issues/codescan/issues/README.mdGenerated by
security_issue_progressive.sh.