From a127eef9dbe071b57216b6bbe8a4a757cd28d785 Mon Sep 17 00:00:00 2001
From: Alex Pyrgiotis <alex.p@freedom.press>
Date: Mon, 28 Apr 2025 14:54:41 +0300
Subject: [PATCH] Ignore CVE-2025-43859 / GHSA-vqfr-h8mv-ghfj

Ignore an h11 vulnerability that is present in the Dangerzone
application released from the `v0.9.0` tag. This vulnerability
reportedly affects web servers behind reverse proxies, which is not
Dangerzone's case.
---
 .grype.yaml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.grype.yaml b/.grype.yaml
index c25ca9a..83f59db 100644
--- a/.grype.yaml
+++ b/.grype.yaml
@@ -45,4 +45,12 @@ ignore:
   # present in Debian Bookworm. Also, libcurl is an HTTP client, and the
   # Dangerzone container does not make any network calls.
   - vulnerability: CVE-2025-0665
-
+  # CVE-2025-43859
+  # ==============
+  #
+  # GitHub advisory: https://github.com/advisories/GHSA-vqfr-h8mv-ghfj
+  # Verdict: Dangerzone is not affected because the vulnerable code is triggered
+  # when parsing HTTP requests, e.g., by web **servers**. Dangerzone on the
+  # other hand performs HTTP requests, i.e., it operates as **client**.
+  - vulnerability: CVE-2025-43859
+  - vulnerability: GHSA-vqfr-h8mv-ghfj