GHSA-C3CH-22RQ-XFWR AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`

CVE-2026-43884 fix 603e7bf patched EpgParser.php and plugin/AI/receiveAsync.json.php to use urlgetcontents redirect-safe. Neither uses the $resolvedIP out-param of isSSRFSafeURL for DNS pinning via CURLOPTRESOLVE. Six+ other call sites still discard $resolvedIP, opening DNS-rebinding TOCTOU...

AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`

CVE-2026-43884 fix 603e7bf patched EpgParser.php and plugin/AI/receiveAsync.json.php to use urlgetcontents redirect-safe. Neither uses the $resolvedIP out-param of isSSRFSafeURL for DNS pinning via CURLOPTRESOLVE. Six+ other call sites still discard $resolvedIP, opening DNS-rebinding TOCTOU...

CVE-2024-34447

An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 ships with BC Java 1.78, BC Java LTS 2.73.6 and before BC FIPS TLS Java 1.0.19. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname as happens...

CVE-2024-34447

An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 ships with BC Java 1.78, BC Java LTS 2.73.6 and before BC FIPS TLS Java 1.0.19. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname as happens...