Update vulnerability whitelist

sd234678 · sd234678 · commit bc2b0fb89b91 · 2025-08-14T10:05:29.000+01:00
diff --git a/.last-exported-commit b/.last-exported-commit
@@ -1 +1 @@
-Last exported commit from parent repo: 877279d0330279264e6a3fb71754cfb871e95fad
+Last exported commit from parent repo: 6c7e8cfcce94dc6d30ef3db5f1c53d24961a2c62
diff --git a/nix-bootstrap.cabal b/nix-bootstrap.cabal
@@ -5,7 +5,7 @@ cabal-version: 2.0
 -- see: https://github.com/sol/hpack
 
 name:           nix-bootstrap
-version:        2.4.0.2
+version:        2.4.0.3
 author:         gchquser
 maintainer:     48051938+sd234678@users.noreply.github.com
 copyright:      Crown Copyright
diff --git a/package.yaml b/package.yaml
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 name: nix-bootstrap
-version: 2.4.0.2
+version: 2.4.0.3
 author: gchquser
 maintainer: 48051938+sd234678@users.noreply.github.com
 copyright: Crown Copyright
diff --git a/vulnerability-whitelist.toml b/vulnerability-whitelist.toml
@@ -12,6 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+["curl"]
+cve = ["CVE-2025-4947","CVE-2025-5025","CVE-2025-5399"]
+comment = "One vuln is a DOS; n-b is inherently not vulnerable. The others would require github to have been successfully attacked and proxied to replace nixpkgs; this is unlikely and beyond scope of mitigations possible here."
+
 ["gcc"]
 cve = ["CVE-2023-4039"]
 comment = "Reasonable worst-case is loss of availability; risk acceptable."

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-Last exported commit from parent repo: 877279d0330279264e6a3fb71754cfb871e95fad`
	`1`	`+Last exported commit from parent repo: 6c7e8cfcce94dc6d30ef3db5f1c53d24961a2c62`