Update vulnerability whitelist

.last-exported-commit

@@ -1 +1 @@
-Last exported commit from parent repo: 6e3f24b8131b3b49aed37881270b7a18e093d307
+Last exported commit from parent repo: d6e5804d6fcba05fe0af882a0c1db8ffb0050320

nix-bootstrap.cabal

@@ -5,7 +5,7 @@ cabal-version: 2.0
 -- see: https://github.com/sol/hpack
 
 name:           nix-bootstrap
-version:        1.5.4.2
+version:        1.5.4.3
 author:         gchquser
 maintainer:     [email protected]
 copyright:      Crown Copyright

package.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 name: nix-bootstrap
-version: 1.5.4.2
+version: 1.5.4.3
 author: gchquser
 maintainer: [email protected]
 copyright: Crown Copyright

vulnerability-whitelist.toml

@@ -54,7 +54,7 @@ comment = "CVEs refer to RedHat Fuse, not C libfuse (Filesystem in Userspace) on
 comment = "gcc is only a build-time dependency so we are not vulnerable to this attack."
 
 ["glibc"]
-cve = ["CVE-2023-4527", "CVE-2023-4813", "CVE-2023-5156"]
+cve = ["CVE-2023-4527", "CVE-2023-4813", "CVE-2023-5156", "CVE-2023-0687", "CVE-2023-6779"]
 comment = "Crashes accepted as not a critical system. Stack contents of nix-bootstrap should never be sensitive."
 
 ["git"]
@@ -80,6 +80,9 @@ comment = "libarchive is only a build-time dependency so we are not vulnerable t
 ["libssh2"]
 comment = "libssh2 is only a build-time dependency so we are not vulnerable to this attack."
 
+["libuv"]
+comment = "libuv is only a build-time dependency so we're not vulnerable to this attack."
+
 ["libxml2"]
 comment = "libxml2 is only a build-time dependency so we're not vulnerable to this attack."
 
@@ -90,8 +93,7 @@ comment = """No upstream fix yet, but exploitation requires a victim \
   """
 
 ["linux-pam"]
-cve = ["CVE-2022-28321"]
-comment = "Only affects OpenSUSE distributions"
+comment = "linux-pam is only a build-time dependency so we're not vulnerable to this attack."
 
 ["network"]
 cve = ["CVE-2021-35048",