Security Export: Issues, Dependabot & CodeScan Alerts (2026-06-29)#143
Security Export: Issues, Dependabot & CodeScan Alerts (2026-06-29)#143grisuno wants to merge 1 commit into
Conversation
|
PR Summary: Summary: Adds a security export under issues/ containing a README and individual markdowns for Dependabot alerts (35), CodeQL code-scanning alerts (3) and four tracked issues. Changes:
Impact:
|
| @@ -0,0 +1,62 @@ | |||
| # Repository: LazyOwn | |||
|
|
|||
| **Description:** LazyOwn RedTeam/APT Framework is the first RedTeam Framework with an AI-powered C&C, featuring rootkits to conceal campaigns, undetectable malleable implants compatible with Windows/Linux/Mac OSX, and self-configuring backdoors. With its Web interface and powerful Console Client, it is the best combination for your Autonomous RedTeam/APT campaigns. | |||
There was a problem hiding this comment.
[CRITICAL_BUG] The README text (line 3) explicitly describes the project as an APT/RedTeam framework and lists rootkits, undetectable implants and self-configuring backdoors. This is high-risk content for a public repository (legal, abuse and takedown risk). Either remove/sanitize this description, restrict this snapshot to a private security channel, or add a clear legal/disclaimer and justification for why this content must be public. If this snapshot is meant for internal tracking, keep it out of the public repo.
**Description:** LazyOwn is a security testing and red teaming framework intended for authorized assessment and research in controlled environments. It includes components for endpoint stealth, command-and-control, and campaign automation. Use of this toolkit is restricted to lawful, consensual security testing and must comply with all applicable laws and third‑party terms of service.|
|
||
| --- | ||
|
|
||
| <!-- Warning: The suggested title contains the alert rule name. This can expose security information. --> |
There was a problem hiding this comment.
[CRITICAL_BUG] The file includes the warning comment that the suggested title contains the alert rule name which can expose security information. Several files in this snapshot expose rule names and scanning details in titles/body. Avoid publishing rule names or precise detection details in public issues; move full details to a private security report, sanitize titles, or replace specifics with generic identifiers to prevent leaking details that could be used by attackers.
# Issue #16: Fix code scanning alert - Information exposure through an exception
- **State:** closed
- **Created:** 2024-06-09T07:07:45Z
- **Updated:** 2024-06-09T07:12:42Z
- **Labels:** None
---
<!-- Internal note: original CodeQL rule name omitted from public title to avoid exposing security detection details. -->
Tracking issue for:
- [x] https://github.com/grisuno/LazyOwn/security/code-scanning/6| - **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/35 | ||
|
|
||
| ## Summary | ||
| pypdf: Possible long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams |
There was a problem hiding this comment.
[NITPICK] Line contains duplicated/garbled text: "long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams". Clean up the sentence and remove the duplicated fragment.
## Summary
pypdf: Possible long runtimes for zero-only width values in cross-reference streams| Vulnerable OpenSSL included in cryptography wheels | ||
|
|
||
| ## Description | ||
| pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in wheels prior to cryptograph 48.01 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20260609.txt. |
There was a problem hiding this comment.
[NITPICK] Typo/incorrect package name/format on line 13: "cryptograph 48.01" — should be "cryptography" and version formatting should be clarified (e.g. 'cryptography < 48.0.1 are vulnerable' or the specific affected versions). Please correct the product name and version notation to avoid confusion.
## Description
pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in wheels prior to cryptography 48.0.1 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20260609.txt.| - **Severity:** low | ||
| - **CVE:** CVE-2025-3000 | ||
| - **Created:** 2026-06-10T22:05:59Z | ||
| - **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/33 | ||
|
|
||
| ## Summary | ||
| PyTorch is vulnerable to memory corruption through its torch.jit.script function | ||
|
|
There was a problem hiding this comment.
[NITPICK] Severity is marked 'low' (line 4) while the Description (line 11) says 'classified as critical'. Reconcile the severity label and the description to avoid confusion: set a consistent severity and, if needed, explain the discrepancy or update to the authoritative severity from the advisory.
# Dependabot Alert #33: torch
- **State:** open
- **Severity:** critical
- **CVE:** CVE-2025-3000
- **Created:** 2026-06-10T22:05:59Z
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/33
## Summary
PyTorch is vulnerable to memory corruption through its torch.jit.script function
## Description
A vulnerability classified as critical has been found in PyTorch 2.6.0. This affects the function `torch.jit.script`. The manipulation leads to memory corruption. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.| - **Severity:** low | ||
| - **CVE:** CVE-2025-3000 | ||
| - **Created:** 2026-06-12T02:01:04Z | ||
| - **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/34 | ||
|
|
||
| ## Summary | ||
| PyTorch is vulnerable to memory corruption through its torch.jit.script function | ||
|
|
There was a problem hiding this comment.
[NITPICK] Same inconsistency as alert_33: severity is 'low' but the description calls the vulnerability 'critical'. Please align the severity label with the official advisory and ensure the description matches.
# Dependabot Alert #34: torch
- **State:** open
- **Severity:** critical
- **CVE:** CVE-2025-3000
- **Created:** 2026-06-12T02:01:04Z
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/34
## Summary
PyTorch is vulnerable to memory corruption through its torch.jit.script function
## Description
A vulnerability classified as critical has been found in PyTorch 2.6.0. This affects the function torch.jit.script. The manipulation leads to memory corruption. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.|
Reviewed up to commit:f1e6248c90b3967cfd345d2351c5cd714c458834 Additional SuggestionOthers- This snapshot lists a large number of Dependabot alerts (notably many pypdf alerts and a high-severity msgpack alert). Add actionable remediation guidance to the index: (1) include the minimal patched versions next to each alert (from the alert pages included), (2) update repository dependency manifests (requirements.txt/pyproject) to pin patched versions, and (3) add or update CI checks to fail if known-vulnerable package versions are present.## Remediation guidance (summary)
### Dependency upgrade targets
The alerts below include the **minimum patched versions** that should be used in `requirements.txt` / `pyproject.toml`:
- **pypdf**: upgrade to **6.13.3 or later** (covers alerts requiring 6.1.3, 6.4.0, 6.6.0, 6.6.2, 6.7.x, 6.8.0, 6.9.x, 6.10.x, 6.12.x, 6.13.0, 6.13.3).
- **msgpack**: upgrade to **1.2.1 or later**.
- **cryptography**: upgrade to the latest release that bundles a non‑vulnerable OpenSSL (≥ the version recommended in alert #37).
- **torch**: upgrade to a version where CVE-2025-3000 is fixed (see the advisory linked from alerts #33 and #34).
- **paramiko**: upgrade to a version newer than 4.0.0 a448945 (see alert #7 advisory) and ensure SHA‑1 is disabled where possible.
### Example: pinning patched versions
```toml
# pyproject.toml (excerpt)
[project.dependencies]
pypdf = ">=6.13.3"
msgpack = ">=1.2.1"
cryptography = ">=48.0.1" # or the first version documented as including a fixed OpenSSL
torch = ">=2.6.1" # adjust to the first non‑vulnerable version per advisory
paramiko = ">=4.1.0" # or first version that removes SHA‑1 usage noted in the advisoryCI policyAdd a safety check in CI that fails the build if known‑vulnerable versions are installed, for example using # .github/workflows/security-audit.yml
name: Security audit
on:
push:
pull_request:
jobs:
pip-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.11"
- run: pip install pip-audit
- run: pip-audit --requirement requirements.txt --fail-on vulns |
Automated security export generated on 20260629_013021.
This PR adds a snapshot under
issues/with:issue_<n>.mdissues/dependabot/issues/codescan/issues/README.mdGenerated by
security_issue_progressive.sh.