Add initial content

[TristanCacqueray]

The goal is to add some real advisory for known or past issue.

• Follow the documentation and propose new advisory.
• Update documentation if necessary.

[frasertweedale]

Search of NVD/mitre turned up the following CVEs:

• https://nvd.nist.gov/vuln/detail/CVE-2022-31053 biscuit-haskell improper sig validation (Report biscuit-haskell CVE-2022-31053 (#32) #47)
• https://nvd.nist.gov/vuln/detail/CVE-2013-1436 xmonad-contrib code injection (Report xmonad-contrib CVE-2013-1436 #54)
• https://nvd.nist.gov/vuln/detail/CVE-2021-30502 vscode-ghc-simple RCE (NOT A HASKELL LIB/PROGRAM)
• https://nvd.nist.gov/vuln/detail/CVE-2021-4249 xml-conduit entity expansion DoS (HSEC-2023-0004: xml-conduit entity expansion attack #92)
• https://nvd.nist.gov/vuln/detail/CVE-2013-0243 hs-tls improper certificate validation (HSEC-2023-0005: tls-extra does not check BasicConstraints #93)
• https://nvd.nist.gov/vuln/detail/CVE-2022-3433 aeson hash flooding (HSEC-2023-0001: aeson hash flooding #35)
• 3 git-annex CVEs: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=git-annex (HSEC-2023-0009..0013: git-annex historical advisories #107)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46888 hledger xss (HSEC-2023-0008: Stored XSS in hledger-web #99)

Reviewing those and reflecting them into the advisory-db would be a good start.

[frasertweedale]

@david-christiansen has a known TOML lib issue (already fixed) that he will submit next week. (#56)

[frasertweedale]

Re https://nvd.nist.gov/vuln/detail/CVE-2021-30502 vscode-ghc-simple RCE - it is actually not a Haskell program.

• its page on VS Marketplace: https://marketplace.visualstudio.com/items?itemName=dramforever.vscode-ghc-simple
• github repo: https://github.com/dramforever/vscode-ghc-simple/tree/master
• it has a GHSA: GHSA-3qwv-3h88-g4p5

And it has been fixed in the latest version. I don't think there's anything further the SRT has to do for this issue.

[mihaimaruseac]

+1, I don't think we have to do anything more for this one

[frasertweedale]

I think we're done here :) All the known historical advisories have been added to the DB.