data/reports: add missing GHSAs

Fixes #2691

Change-Id: I0d4429336840220bb1afb1b2c9622ae4802fb126
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/579355
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>

Author: tatianab

data/osv/GO-2024-2658.json

@@ -7,6 +7,9 @@
     "CVE-2024-1753",
     "GHSA-pmf3-c36m-g5cf"
   ],
+  "related": [
+    "GHSA-874v-pj72-92f3"
+  ],
   "summary": "Container escape at build time in github.com/containers/buildah",
   "details": "A crafted container file can use a dummy image with a symbolic link to the host filesystem as a mount source and cause the mount operation to mount the host filesystem during a build-time RUN step. The commands inside the RUN step will then have read-write access to the host filesystem.",
   "affected": [

data/osv/GO-2024-2687.json

@@ -4,7 +4,8 @@
   "modified": "0001-01-01T00:00:00Z",
   "published": "0001-01-01T00:00:00Z",
   "aliases": [
-    "CVE-2023-45288"
+    "CVE-2023-45288",
+    "GHSA-4v7x-pqxf-cx7m"
   ],
   "summary": "HTTP/2 CONTINUATION flood in net/http",
   "details": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames.\n\nMaintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed.\n\nThis permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.\n\nThe fix sets a limit on the amount of excess header frames we will process before closing a connection.",

data/reports/GO-2024-2658.yaml

@@ -20,8 +20,16 @@ cves:
     - CVE-2024-1753
 ghsas:
     - GHSA-pmf3-c36m-g5cf
+related:
+    - GHSA-874v-pj72-92f3
 credits:
     - '@rmcnamara-snyk'
 references:
     - fix: https://github.com/containers/buildah/commit/9de9c20ff368beb84b84fe660773d352519dc1c5
     - report: https://bugzilla.redhat.com/show_bug.cgi?id=2265513
+notes:
+    - |
+      GHSA-874v-pj72-92f3 is a DEPENDENT_VULNERABILITY
+      of this report, but the GHSA database considers it an
+      alias of CVE-2024-1753. Adding the GHSA as "related"
+      prevents our tooling from adding it to the aliases field.

data/reports/GO-2024-2687.yaml

@@ -297,6 +297,8 @@ description: |-
 
     The fix sets a limit on the amount of excess header frames we will process
     before closing a connection.
+ghsas:
+    - GHSA-4v7x-pqxf-cx7m
 credits:
     - Bartek Nowotarski (https://nowotarski.info/)
 references: