[automatic] Publish 5 advisories for 4 packages

advisories/published/2025/JLSEC-0000-mnrtukcf8-1ftv63e.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mnrtukcf8-1ftv63e"
+modified = 2025-10-11T03:15:18.116Z
+upstream = ["CVE-2024-34459"]
+references = ["https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/"]
+
+[[affected]]
+pkg = "XML2_jll"
+ranges = ["< 2.12.7+0"]
+
+[[jlsec_sources]]
+id = "CVE-2024-34459"
+imported = 2025-10-11T03:15:18.098Z
+modified = 2025-10-10T18:00:14.990Z
+published = 2024-05-14T15:39:11.917Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-34459"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2024-34459"
+```
+
+# An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7
+
+An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.
+

advisories/published/2025/JLSEC-0000-mnrtuki24-bx3pow.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mnrtuki24-bx3pow"
+modified = 2025-10-11T03:15:25.420Z
+upstream = ["CVE-2024-56378"]
+references = ["https://gitlab.freedesktop.org/poppler/poppler/-/blob/30eada0d2bceb42c2d2a87361339063e0b9bea50/CMakeLists.txt#L621", "https://gitlab.freedesktop.org/poppler/poppler/-/commit/ade9b5ebed44b0c15522c27669ef6cdf93eff84e", "https://gitlab.freedesktop.org/poppler/poppler/-/issues/1553"]
+
+[[affected]]
+pkg = "Poppler_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2024-56378"
+imported = 2025-10-11T03:15:25.420Z
+modified = 2025-10-10T18:31:11.853Z
+published = 2024-12-23T00:15:05.133Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-56378"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2024-56378"
+```
+
+# libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read vulnerability within the JBIG2Bit...
+
+libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc.
+

advisories/published/2025/JLSEC-0000-mnrtuknze-v5ka2x.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mnrtuknze-v5ka2x"
+modified = 2025-10-11T03:15:33.098Z
+upstream = ["CVE-2025-30258"]
+references = ["https://dev.gnupg.org/T7527", "https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158", "https://lists.gnupg.org/pipermail/gnupg-announce/2025q1/000491.html"]
+
+[[affected]]
+pkg = "GnuPG_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2025-30258"
+imported = 2025-10-11T03:15:33.098Z
+modified = 2025-10-10T14:29:32.060Z
+published = 2025-03-19T20:15:20.140Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-30258"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-30258"
+```
+
+# In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data th...
+
+In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."
+

advisories/published/2025/JLSEC-0000-mnrtukvma-mljgsq.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mnrtukvma-mljgsq"
+modified = 2025-10-11T03:15:42.994Z
+upstream = ["CVE-2025-52886"]
+references = ["https://gitlab.freedesktop.org/poppler/poppler/-/commit/04bd91684ed41d67ae0f10cde0660e4ed74ac203", "https://gitlab.freedesktop.org/poppler/poppler/-/commit/ac36affcc8486de38e8905a8d6547a3464ff46e5", "https://gitlab.freedesktop.org/poppler/poppler/-/issues/1581", "https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1828", "https://securitylab.github.com/advisories/GHSL-2025-054_poppler/"]
+
+[[affected]]
+pkg = "Poppler_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2025-52886"
+imported = 2025-10-11T03:15:42.994Z
+modified = 2025-10-10T19:52:47.103Z
+published = 2025-07-02T16:15:28.933Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-52886"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-52886"
+```
+
+# Poppler is a PDF rendering library
+
+Poppler is a PDF rendering library. Versions prior to 25.06.0 use `std::atomic_int` for reference counting. Because `std::atomic_int` is only 32 bits, it is possible to overflow the reference count and trigger a use-after-free. Version 25.06.0 patches the issue.
+

advisories/published/2025/JLSEC-0000-mnrtulag1-z5dawh.md

@@ -0,0 +1,32 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mnrtulag1-z5dawh"
+modified = 2025-10-11T03:16:02.209Z
+aliases = ["CVE-2025-61689"]
+references = ["https://github.com/JuliaWeb/HTTP.jl/releases/tag/v1.10.19", "https://github.com/JuliaWeb/HTTP.jl/security/advisories/GHSA-h3x8-ppwj-6vcj"]
+
+[[affected]]
+pkg = "HTTP"
+ranges = ["< 1.10.19"]
+
+[[jlsec_sources]]
+id = "CVE-2025-61689"
+imported = 2025-10-11T03:16:02.209Z
+modified = 2025-10-10T17:15:39.367Z
+published = 2025-10-10T17:15:39.367Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-61689"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-61689"
+[[jlsec_sources]]
+id = "EUVD-2025-33756"
+imported = 2025-10-11T03:16:02.210Z
+modified = 2025-10-10T19:12:55.000Z
+published = 2025-10-10T16:48:41.000Z
+url = "https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2025-33756"
+html_url = "https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-33756"
+fields = ["affected"]
+```
+
+# HTTP.jl is an HTTP client and server functionality for the Julia programming language
+
+HTTP.jl is an HTTP client and server functionality for the Julia programming language. Prior to version 1.10.19, HTTP.jl did not validate header names/values for illegal characters, allowing CRLF-based header injection and response splitting. This enables HTTP response splitting and header injection, leading to cache poisoning, XSS, session fixation, and more. This issue is fixed in HTTP.jl  `v1.10.19`.
+