Enrich GHSA-xp7f-v245-w3w8 (CVE-2026-38361, dash-uploader DoS): resubmit of #7636

[a1ohadance]

Resubmits the enrichment from #7636, which the stale bot auto-closed on 2026-06-09 before it could be merged. Reopening #7636 is disabled from my side, so this is the same change from the same branch (a1ohadance-GHSA-xp7f-v245-w3w8), reopened as a fresh PR.

Context for the reviewer

@JonathanLEvans, your only blocker on #7636 was that the CVE-2026-38361 description still read "execute arbitrary code" and did not match this DoS advisory. MITRE has now applied that correction. The live CVE description reads:

Multiple unauthenticated denial-of-service (DoS) issues in fohrloop dash-uploader v0.1.0 through v0.7.0a2 [...] out-of-memory (OOM) process crash [...] truncation of the target file to zero bytes [...] permanent disk exhaustion [...] and a complete bypass of the documented max_file_size limit.

That is consistent with the CWE-400 / CWE-670 and the availability-only CVSS (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) that were already on the record, so the CVE and this advisory now line up end to end. The separate path-traversal-to-RCE issue stays under CVE-2026-38360 (GHSA-3rf6-x59v-5jfv, already merged).

• CVE record: https://www.cve.org/CVERecord?id=CVE-2026-38361
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-38361

Changes (unchanged from #7636)

The advisory is currently "affected": [], so Dependabot does not alert any project depending on this archived package. This PR populates it.

• affected: was empty []. Now lists PyPI/dash-uploader with an ECOSYSTEM range introduced: 0.1.0 / last_affected: 0.7.0a2 (all 16 published releases). The package was archived 2025-07-19; no patched version exists.
• summary: added (was missing).
• details: replaced the auto-imported description with Impact / Affected versions / Mitigation / References sections covering the three DoS primitives: OOM (CWE-400, unbounded range(1, flowTotalChunks + 1)), TRUNCATE (CWE-670, flowTotalChunks=0 hits the all([]) == True quirk so assembly runs on zero chunks and replaces the target with an empty file; composes with the GHSA-3rf6-x59v-5jfv path traversal in upload_id for arbitrary-file truncate), and EXHAUST (CWE-400, never-cleaned-up temp dirs per unique flowIdentifier).
• credits: added a1ohadance as FINDER (was missing).
• references: cross-link to companion advisory GHSA-3rf6-x59v-5jfv (CVE-2026-38360) plus the public PoC.

Verification

• JSON validates against the OSV 1.4.0 schema.
• The ECOSYSTEM range cross-checks against https://pypi.org/pypi/dash-uploader/json.
• Single-file diff against current main; no other advisories touched.