[automatic] Publish 1 advisory for Gettext_jll

[jlsec-bot]

This action searched --project=gettext, checking 2 (+0) advisories from NVD and 0 (+0) from EUVD for advisories that pertain here. It identified 1 advisory as being related to the Julia package(s): Gettext_jll.

1 advisories found concrete vulnerable ranges

• CVE-2018-18751 for packages: Gettext_jll
  • Gettext_jll computed ["< 0.20.1+1"]. Its latest version (0.21.0+0) has components: {gettext = "0.21"}
  • GettextRuntime_jll has no vulnerable versions; some versions contain vulnerable gnu:gettext. Its latest version (0.22.4+0) has components: {gettext = "0.22.4"}
  • GCCBootstrap_jll has no vulnerable versions; some versions contain vulnerable gnu:gettext. Its latest version (9.4.0+0) has components: {mingw-w64-headers = "9.0.0", gettext = "0.21", isl = "0.24", gmp = "6.2.1", gnumpc = "1.2.1", zlib = "1.2.11", libiconv = "1.16", mpfr = "4.1.0", musl = "1.2.2"}

[mbauman]

This is a slightly interesting case — it applies to the upstream gettext at 0.19.8. We have the following Gettext_jll.jl versions:

[Gettext_jll]
"0.20.1+0" = {gettext = "0.19.8"}
"0.20.1+1" = {gettext = "0.20.1"}
"0.20.1+2" = {gettext = "0.20.1"}
"0.20.1+3" = {gettext = "0.20.1"}
"0.20.1+4" = {gettext = "0.20.1"}
"0.20.1+5" = {gettext = "0.20.1"}
"0.20.1+6" = {gettext = "0.20.1"}
"0.20.1+7" = {gettext = "0.20.1"}
"0.21.0+0" = {gettext = "0.21"}

So we're getting the correct version range here, but it's not one that Pkg could express as a compat bound. I suppose that's ok — just not something I've considered yet.

[mbauman]

Seems best to have the "correct" answer in the db, and let downstream tools adjust as necessary.