[automatic] Publish 1 advisory for Patchelf_jll

[jlsec-bot]

This action searched --project=patchelf, checking 1 (+0) advisories from NVD and 0 (+1) from EUVD for advisories that pertain here. It identified 1 advisory as being related to the Julia package(s): Patchelf_jll.

1 advisories apply to the latest version of a package and do not have a patch

• CVE-2022-44940 for packages: Patchelf_jll
  • Patchelf_jll computed [">= 2019.10.23+0"]. Its latest version (2019.10.23+0) has components: {patchelf = "*"}
    • patchelf_project:patchelf at = 0.9 mapped to [>= 2019.10.23+0], includes the latest version`

[mbauman]

OK, Patchelf_jll has a bit of odd history here. It has versions:

[Patchelf_jll."0.13.0+0"]
registered = 2021-11-20T14:46:36.000Z

[Patchelf_jll."0.14.3+0"]
registered = 2021-12-19T22:25:47.000Z

[Patchelf_jll."0.17.2+0"]
registered = 2023-02-09T13:10:22.000Z

[Patchelf_jll."0.18.0+0"]
registered = 2023-09-26T15:41:21.000Z

[Patchelf_jll."2019.10.23+0"]
registered = 2019-11-08T09:25:48.000Z
yanked = 2023-06-14T03:50:39.000Z

That 2019 version was built from a git source: https://github.com/JuliaPackaging/Yggdrasil/blob/8bcd93e90fdbce512a9b6b6cc3d35967cbd5650b/P/Patchelf/build_tarballs.jl

The commit, NixOS/patchelf@2ba6481, lands somewhere between 0.10 and 0.11. The commit that fixed CVE-2022-44940 actually lands well after 0.10 (which is the data NVD reports). It looks like all versions < 0.16 are vulnerable.