Skip to content

Security Export: Issues, Dependabot & CodeScan Alerts (2026-06-29)#143

Closed
grisuno wants to merge 1 commit into
mainfrom
security-export-2026-06-29-20260629_013021
Closed

Security Export: Issues, Dependabot & CodeScan Alerts (2026-06-29)#143
grisuno wants to merge 1 commit into
mainfrom
security-export-2026-06-29-20260629_013021

Conversation

@grisuno

@grisuno grisuno commented Jun 29, 2026

Copy link
Copy Markdown
Owner

Automated security export generated on 20260629_013021.

This PR adds a snapshot under issues/ with:

  • All GitHub issues (open + closed) as issue_<n>.md
  • Open Dependabot alerts under issues/dependabot/
  • Open Code Scanning alerts under issues/codescan/
  • Index in issues/README.md

Generated by security_issue_progressive.sh.

@pantoaibot

pantoaibot Bot commented Jun 29, 2026

Copy link
Copy Markdown

PR Summary:

Summary: Adds a security export under issues/ containing a README and individual markdowns for Dependabot alerts (35), CodeQL code-scanning alerts (3) and four tracked issues.

Changes:

  • New top-level file issues/README.md summarizing repo metrics and listing issues, dependabot and codescan alerts.
  • Added three CodeQL alert files: issues/codescan/alert_765.md, alert_766.md, alert_767.md (py/bind-socket-all-network-interfaces).
  • Added many Dependabot alert files (issues/dependabot/alert_7.md through alert_44.md) covering multiple pypdf vulnerabilities (numerous CVEs, memory exhaustion / infinite-loop / long-runtime issues; recommended patched versions vary across 6.1.3 → 6.13.3), cryptography (vulnerable OpenSSL in wheels; buffer-overflow issues), msgpack (high severity; Unpacker crash; patch v1.2.1), torch (memory corruption via torch.jit.script), and paramiko (allows SHA-1).
  • Added four issue tracking files: issues/issue_16.md, issue_17.md, issue_30.md, issue_84.md (all marked closed).
  • Each alert file includes state, severity/CVE, summary, impact, patches and recommended workarounds.

Impact:

  • No source code or dependency changes included — documentation/export only, so no breaking changes in this PR.
  • Action items for reviewers/maintainers: review listed alerts and apply recommended dependency upgrades or mitigations (notably update pypdf to the patched versions, upgrade cryptography/msgpack/torch/paramiko as indicated, and inspect code locations binding sockets to all interfaces).

Reviewed by Panto AI

Comment thread issues/README.md
@@ -0,0 +1,62 @@
# Repository: LazyOwn

**Description:** LazyOwn RedTeam/APT Framework is the first RedTeam Framework with an AI-powered C&C, featuring rootkits to conceal campaigns, undetectable malleable implants compatible with Windows/Linux/Mac OSX, and self-configuring backdoors. With its Web interface and powerful Console Client, it is the best combination for your Autonomous RedTeam/APT campaigns.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CRITICAL_BUG] The README text (line 3) explicitly describes the project as an APT/RedTeam framework and lists rootkits, undetectable implants and self-configuring backdoors. This is high-risk content for a public repository (legal, abuse and takedown risk). Either remove/sanitize this description, restrict this snapshot to a private security channel, or add a clear legal/disclaimer and justification for why this content must be public. If this snapshot is meant for internal tracking, keep it out of the public repo.

**Description:** LazyOwn is a security testing and red teaming framework intended for authorized assessment and research in controlled environments. It includes components for endpoint stealth, command-and-control, and campaign automation. Use of this toolkit is restricted to lawful, consensual security testing and must comply with all applicable laws and third‑party terms of service.

Comment thread issues/issue_16.md

---

<!-- Warning: The suggested title contains the alert rule name. This can expose security information. -->

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CRITICAL_BUG] The file includes the warning comment that the suggested title contains the alert rule name which can expose security information. Several files in this snapshot expose rule names and scanning details in titles/body. Avoid publishing rule names or precise detection details in public issues; move full details to a private security report, sanitize titles, or replace specifics with generic identifiers to prevent leaking details that could be used by attackers.

# Issue #16: Fix code scanning alert - Information exposure through an exception

- **State:** closed
- **Created:** 2024-06-09T07:07:45Z
- **Updated:** 2024-06-09T07:12:42Z
- **Labels:** None

---

<!-- Internal note: original CodeQL rule name omitted from public title to avoid exposing security detection details. -->

Tracking issue for:
- [x] https://github.com/grisuno/LazyOwn/security/code-scanning/6

- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/35

## Summary
pypdf: Possible long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[NITPICK] Line contains duplicated/garbled text: "long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams". Clean up the sentence and remove the duplicated fragment.

## Summary
pypdf: Possible long runtimes for zero-only width values in cross-reference streams

Vulnerable OpenSSL included in cryptography wheels

## Description
pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in wheels prior to cryptograph 48.01 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20260609.txt.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[NITPICK] Typo/incorrect package name/format on line 13: "cryptograph 48.01" — should be "cryptography" and version formatting should be clarified (e.g. 'cryptography < 48.0.1 are vulnerable' or the specific affected versions). Please correct the product name and version notation to avoid confusion.

## Description
pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in wheels prior to cryptography 48.0.1 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20260609.txt.

Comment on lines +4 to +11
- **Severity:** low
- **CVE:** CVE-2025-3000
- **Created:** 2026-06-10T22:05:59Z
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/33

## Summary
PyTorch is vulnerable to memory corruption through its torch.jit.script function

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[NITPICK] Severity is marked 'low' (line 4) while the Description (line 11) says 'classified as critical'. Reconcile the severity label and the description to avoid confusion: set a consistent severity and, if needed, explain the discrepancy or update to the authoritative severity from the advisory.

# Dependabot Alert #33: torch

- **State:** open
- **Severity:** critical
- **CVE:** CVE-2025-3000
- **Created:** 2026-06-10T22:05:59Z
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/33

## Summary
PyTorch is vulnerable to memory corruption through its torch.jit.script function

## Description
A vulnerability classified as critical has been found in PyTorch 2.6.0. This affects the function `torch.jit.script`. The manipulation leads to memory corruption. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.

Comment on lines +4 to +11
- **Severity:** low
- **CVE:** CVE-2025-3000
- **Created:** 2026-06-12T02:01:04Z
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/34

## Summary
PyTorch is vulnerable to memory corruption through its torch.jit.script function

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[NITPICK] Same inconsistency as alert_33: severity is 'low' but the description calls the vulnerability 'critical'. Please align the severity label with the official advisory and ensure the description matches.

# Dependabot Alert #34: torch

- **State:** open
- **Severity:** critical
- **CVE:** CVE-2025-3000
- **Created:** 2026-06-12T02:01:04Z
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/34

## Summary
PyTorch is vulnerable to memory corruption through its torch.jit.script function

## Description
A vulnerability classified as critical has been found in PyTorch 2.6.0. This affects the function torch.jit.script. The manipulation leads to memory corruption. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.

@pantoaibot

pantoaibot Bot commented Jun 29, 2026

Copy link
Copy Markdown

Reviewed up to commit:f1e6248c90b3967cfd345d2351c5cd714c458834

Additional Suggestion
Others - This snapshot lists a large number of Dependabot alerts (notably many pypdf alerts and a high-severity msgpack alert). Add actionable remediation guidance to the index: (1) include the minimal patched versions next to each alert (from the alert pages included), (2) update repository dependency manifests (requirements.txt/pyproject) to pin patched versions, and (3) add or update CI checks to fail if known-vulnerable package versions are present.
## Remediation guidance (summary)

### Dependency upgrade targets

The alerts below include the **minimum patched versions** that should be used in `requirements.txt` / `pyproject.toml`:

- **pypdf**: upgrade to **6.13.3 or later** (covers alerts requiring 6.1.3, 6.4.0, 6.6.0, 6.6.2, 6.7.x, 6.8.0, 6.9.x, 6.10.x, 6.12.x, 6.13.0, 6.13.3).
- **msgpack**: upgrade to **1.2.1 or later**.
- **cryptography**: upgrade to the latest release that bundles a non‑vulnerable OpenSSL (≥ the version recommended in alert #37).
- **torch**: upgrade to a version where CVE-2025-3000 is fixed (see the advisory linked from alerts #33 and #34).
- **paramiko**: upgrade to a version newer than 4.0.0 a448945 (see alert #7 advisory) and ensure SHA‑1 is disabled where possible.

### Example: pinning patched versions

```toml
# pyproject.toml (excerpt)
[project.dependencies]
pypdf = ">=6.13.3"
msgpack = ">=1.2.1"
cryptography = ">=48.0.1"  # or the first version documented as including a fixed OpenSSL
torch = ">=2.6.1"          # adjust to the first non‑vulnerable version per advisory
paramiko = ">=4.1.0"       # or first version that removes SHA‑1 usage noted in the advisory

CI policy

Add a safety check in CI that fails the build if known‑vulnerable versions are installed, for example using pip-audit:

# .github/workflows/security-audit.yml
name: Security audit

on:
  push:
  pull_request:

jobs:
  pip-audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - run: pip install pip-audit
      - run: pip-audit --requirement requirements.txt --fail-on vulns

</details>
</details>



<sub>

[Reviewed by Panto AI](https://www.getpanto.ai?utm_source=github&utm_medium=github_comments&utm_id=github_comments)

</sub>

@grisuno grisuno closed this Jun 29, 2026
@grisuno grisuno deleted the security-export-2026-06-29-20260629_013021 branch June 29, 2026 19:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant