Package Search Help
You can use boolean logic (e.g. AND/OR/NOT) for complex search queries. For more help and examples, see the search documentation.
Search by package name:
my-package (implicit)
name:my-package (explicit)
Search by package filename:
my-package.ext (implicit)
filename:my-package.ext (explicit)
Search by package tag:
latest (implicit)
tag:latest (explicit)
Search by package version:
1.0.0 (implicit)
version:1.0.0 (explicit)
prerelease:true (prereleases)
prerelease:false (no prereleases)
Search by package architecture:
architecture:x86_64
Search by package distribution:
distribution:el
Search by package license:
license:MIT
Search by package format:
format:deb
Search by package status:
status:in_progress
Search by package file checksum:
checksum:5afba
Search by package security status:
severity:critical
Search by package vulnerabilities:
vulnerabilities:>1
vulnerabilities:<1000
Search by # of package downloads:
downloads:>8
downloads:<100
Search by package type:
type:binary
type:source
Search by package size (bytes):
size:>50000
size:<10000
Search by dependency name/version:
dependency:log4j
dependency:log4j=1.0.0
dependency:log4j>1.0.0
Search by uploaded date:
uploaded:>"1 day ago"
uploaded:<"August 14, 2022 EST"
Search by entitlement token (identifier):
entitlement:3lKPVJPosCsY
Search by policy violation:
policy_violated:true
deny_policy_violated:true
license_policy_violated:true
vulnerability_policy_violated:true
Search by repository:
repository:repo-name
Search queries for all Debian-specific (and related) package types
Search by component:
deb_component:unstable
Search queries for all Maven-specific (and related) package types
Search by group ID:
maven_group_id:org.apache
Search queries for all Docker-specific (and related) package types
Search by image digest:
docker_image_digest:sha256:7c5..6d4
(full hashref only)
Search by layer digest:
docker_layer_digest:sha256:4c4..ae4
(full hashref only)
Field type modifiers (depending on the type, you can influence behaviour)
For all queries, you can use:
~foo for negation
For string queries, you can use:
^foo to anchor to start of term
foo$ to anchor to end of term
foo*bar for fuzzy matching
For number/date or version queries, you can use:
>foo for values greater than
>=foo for values greater / equal
<foo for values less than
<=foo for values less / equal
Need a secure and centralised artifact repository to deliver Alpine,
Cargo,
CocoaPods,
Composer,
Conan,
Conda,
CRAN,
Dart,
Debian,
Docker,
Go,
Helm,
Hex,
LuaRocks,
Maven,
npm,
NuGet,
P2,
Python,
RedHat,
Ruby,
Swift,
Terraform,
Vagrant,
Raw & More packages?
Cloudsmith is the new standard in Package / Artifact Management and Software Distribution.
With support for all major package formats, you can trust us to manage your software supply chain.
cloudsmith
(Cloudsmith)
/
actions-images
Docker Images used to power Cloudsmith's Github Action
python
3.8-slim-amd64
One-liner (summary)
A certifiably-awesome package curated by Patrick Carey, hosted by Cloudsmith.
Description
A certifiably-awesome package curated by Patrick Carey, hosted by Cloudsmith.
| Status | Completed |
|---|---|
| GPG Signature | |
| Storage Region | Dublin, Ireland |
| Type | Binary (contains binaries and binary artifacts) |
| Uploaded At | 1 year, 4 months ago |
| Uploaded By |
|
| Slug Id | python-T0a |
| Unique Id | msfX5AAOgXH3 |
| Version (Raw) | 3.8-slim-amd64 |
| Version (Parsed) |
|
| Orig Version (Raw) | b4e492dd480a64c1436e448735acc6435a574664eabb88e744b428ac3baa646d |
| Orig Version (Parsed) |
|
| docker-specific metadata | |
| Image Digest | sha256:b4e492dd480a64c1436e448735acc6435a574664eabb88e744b428ac3baa646d |
| Config Digest | sha256:3b03c341683c1bd6ce7309a11a506d2021212419cfdb292ba3e53119e7ca4fde |
| V1 OCI Index Digest | sha256:6e84a6b1eadfc0db8f9db5caa72a32b53b8969b36a9757f66c076862620ec693 |
| V1 Distribution (Signed) Digest | sha256:ae5edafd084544099d0a63b6c6e1dcbacce23faecd3a32ecfaf22113efecfb06 |
| V1 OCI Digest | sha256:e85143b4b08a863e0733ce1a82d6468c39e535943bdad05c4c43c2401f3d1771 |
| V2 Distribution List Digest | sha256:d571aacf8cd108be592fdeee03edfeb8d3a499cfcf1e0e4f1f9f5011a4f19a2b |
| V1 Distribution Digest | sha256:7df9c8088d5e80e110dba07cc98bf38aec62b544b755b0465d77ff921e960e98 |
| V2 Distribution Digest | sha256:b4e492dd480a64c1436e448735acc6435a574664eabb88e744b428ac3baa646d |
| extended metadata | |
| Manifest Type | V2 Distribution |
| Architecture | amd64 |
| Config | |
| Container | d9973be385002f59be475990dd39bb674e810887a539358fc95d7ac2e74a4d6e |
| Container Config | |
| Created | 2022-12-06 15:30:35 UTC |
| Docker Version | 20.10.12 |
| Os | linux |
This package was uploaded with the following V2 Distribution manifest:
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"size": 7533,
"digest": "sha256:70eea1c77e607936d5f24ae36499e053359366360954f97c8726e2be79a59aa5"
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 31412852,
"digest": "sha256:025c56f98b679f70b7a54241917e56da7b59ab9d2defecc6ebdb0bf2750484bb"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 1077978,
"digest": "sha256:778656c04542093db6d3b6e07bffbcf6ec4b24709276be7cdf177fcb3666663a"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 11336193,
"digest": "sha256:2f533501106783d24b8849738de457b6cf05fa9099af32bced03062e07eda3d8"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 233,
"digest": "sha256:6b453dd3c3d536990e0f5f7ce48c4543371f54c1c52fbcc715310cc3221e47cb"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 3178956,
"digest": "sha256:7ac12e878811912f8568b2815b0f875f570a01aacb21f172bf8f4023a83b8d0c"
}
]
}|
Digest:
sha256:025c56f98b679f70b7a54241917e56da7b59ab9d2defecc6ebdb0bf2750484bb
Command: /bin/sh -c #(nop) ADD file:1f1efd56601ebc26a041a7b994a380ef68112b91a078e225753bee7b3196d22c in / |
30.0 MB | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: /bin/sh -c #(nop) CMD ["bash"] |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: /bin/sh -c #(nop) ENV PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: /bin/sh -c #(nop) ENV LANG=C.UTF-8 |
32 bytes | ||
|
Digest:
sha256:778656c04542093db6d3b6e07bffbcf6ec4b24709276be7cdf177fcb3666663a
Command: /bin/sh -c set -eux; apt-get update; apt-get install -y --no-install-recommends ca-certificates netbase tzdata ; rm -rf /var/lib/apt/lists/* |
1.0 MB | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: /bin/sh -c #(nop) ENV GPG_KEY=E3FF2839C048B25C084DEBE9B26995E310250568 |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: /bin/sh -c #(nop) ENV PYTHON_VERSION=3.8.15 |
32 bytes | ||
|
Digest:
sha256:2f533501106783d24b8849738de457b6cf05fa9099af32bced03062e07eda3d8
Command: /bin/sh -c set -eux; savedAptMark="$(apt-mark showmanual)"; apt-get update; apt-get install -y --no-install-recommends dpkg-dev gcc gnupg dirmngr libbluetooth-dev libbz2-dev libc6-dev libexpat1-dev libffi-dev libgdbm-dev liblzma-dev libncursesw5-dev libreadline-dev libsqlite3-dev libssl-dev make tk-dev uuid-dev wget xz-utils zlib1g-dev ; wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; gpg --batch --verify python.tar.xz.asc python.tar.xz; command -v gpgconf > /dev/null && gpgconf --kill all || :; rm -rf "$GNUPGHOME" python.tar.xz.asc; mkdir -p /usr/src/python; tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; rm python.tar.xz; cd /usr/src/python; gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; ./configure --build="$gnuArch" --enable-loadable-sqlite-extensions --enable-optimizations --enable-option-checking=fatal --enable-shared --with-system-expat --without-ensurepip ; nproc="$(nproc)"; make -j "$nproc" LDFLAGS="-Wl,--strip-all" ; make install; cd /; rm -rf /usr/src/python; find /usr/local -depth \( \( -type d -a \( -name test -o -name tests -o -name idle_test \) \) -o \( -type f -a \( -name '*.pyc' -o -name '*.pyo' -o -name 'libpython*.a' \) \) -o \( -type f -a -name 'wininst-*.exe' \) \) -exec rm -rf '{}' + ; ldconfig; apt-mark auto '.*' > /dev/null; apt-mark manual $savedAptMark; find /usr/local -type f -executable -not \( -name '*tkinter*' \) -exec ldd '{}' ';' | awk '/=>/ { print $(NF-1) }' | sort -u | xargs -r dpkg-query --search | cut -d: -f1 | sort -u | xargs -r apt-mark manual ; apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; rm -rf /var/lib/apt/lists/*; python3 --version |
10.8 MB | ||
|
Digest:
sha256:6b453dd3c3d536990e0f5f7ce48c4543371f54c1c52fbcc715310cc3221e47cb
Command: /bin/sh -c set -eux; for src in idle3 pydoc3 python3 python3-config; do dst="$(echo "$src" | tr -d 3)"; [ -s "/usr/local/bin/$src" ]; [ ! -e "/usr/local/bin/$dst" ]; ln -svT "$src" "/usr/local/bin/$dst"; done |
233 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: /bin/sh -c #(nop) ENV PYTHON_PIP_VERSION=22.0.4 |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: /bin/sh -c #(nop) ENV PYTHON_SETUPTOOLS_VERSION=57.5.0 |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: /bin/sh -c #(nop) ENV PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/66030fa03382b4914d4c4d0896961a0bdeeeb274/public/get-pip.py |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: /bin/sh -c #(nop) ENV PYTHON_GET_PIP_SHA256=1e501cf004eac1b7eb1f97266d28f995ae835d30250bec7f8850562703067dc6 |
32 bytes | ||
|
Digest:
sha256:7ac12e878811912f8568b2815b0f875f570a01aacb21f172bf8f4023a83b8d0c
Command: /bin/sh -c set -eux; savedAptMark="$(apt-mark showmanual)"; apt-get update; apt-get install -y --no-install-recommends wget; wget -O get-pip.py "$PYTHON_GET_PIP_URL"; echo "$PYTHON_GET_PIP_SHA256 *get-pip.py" | sha256sum -c -; apt-mark auto '.*' > /dev/null; [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; rm -rf /var/lib/apt/lists/*; export PYTHONDONTWRITEBYTECODE=1; python get-pip.py --disable-pip-version-check --no-cache-dir --no-compile "pip==$PYTHON_PIP_VERSION" "setuptools==$PYTHON_SETUPTOOLS_VERSION" ; rm -f get-pip.py; pip --version |
3.0 MB | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: /bin/sh -c #(nop) CMD ["python3"] |
32 bytes |
Last scanned
1 year, 4 months ago
Scan result
Vulnerable
Vulnerability count
86
Max. severity
Critical| Target: | . (debian 11.5) | |
| CRITICAL |
CVE-2019-8457: sqlite: heap out-of-bound read in function rtreenode()SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.Package Name: libdb5.3 Installed Version: 5.3.28+dfsg1-0.8 Fixed Version: References: lists.opensuse.org access.redhat.com cve.mitre.org kc.mcafee.com linux.oracle.com linux.oracle.com lists.fedoraproject.org lists.fedoraproject.org security.netapp.com ubuntu.com ubuntu.com ubuntu.com ubuntu.com usn.ubuntu.com usn.ubuntu.com usn.ubuntu.com usn.ubuntu.com www.oracle.com www.oracle.com www.oracle.com www.oracle.com www.sqlite.org www.sqlite.org |
|
| CRITICAL |
CVE-2021-46848: libtasn1: Out-of-bound access in ETYPE_OKGNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.Package Name: libtasn1-6 Installed Version: 4.16.0-2 Fixed Version: References: access.redhat.com bugs.gentoo.org cve.mitre.org gitlab.com gitlab.com lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.netapp.com ubuntu.com |
|
| HIGH |
CVE-2022-1304: e2fsprogs: out-of-bounds read/write via crafted filesystemAn out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.Package Name: e2fsprogs Installed Version: 1.46.2-2 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org linux.oracle.com linux.oracle.com marc.info nvd.nist.gov ubuntu.com |
|
| HIGH |
CVE-2022-1304: e2fsprogs: out-of-bounds read/write via crafted filesystemAn out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.Package Name: libcom-err2 Installed Version: 1.46.2-2 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org linux.oracle.com linux.oracle.com marc.info nvd.nist.gov ubuntu.com |
|
| HIGH |
CVE-2022-1304: e2fsprogs: out-of-bounds read/write via crafted filesystemAn out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.Package Name: libext2fs2 Installed Version: 1.46.2-2 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org linux.oracle.com linux.oracle.com marc.info nvd.nist.gov ubuntu.com |
|
| HIGH |
CVE-2021-33560: libgcrypt: mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powmLibgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.Package Name: libgcrypt20 Installed Version: 1.8.7-6 Fixed Version: References: access.redhat.com access.redhat.com cve.mitre.org dev.gnupg.org dev.gnupg.org dev.gnupg.org dev.gnupg.org eprint.iacr.org errata.almalinux.org linux.oracle.com linux.oracle.com lists.debian.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.gentoo.org ubuntu.com ubuntu.com www.oracle.com www.oracle.com www.oracle.com www.oracle.com |
|
| HIGH |
CVE-2022-29458: ncurses: segfaulting OOB readncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.Package Name: libncursesw6 Installed Version: 6.2+20201114-2 Fixed Version: References: seclists.org access.redhat.com cve.mitre.org invisible-island.net lists.debian.org lists.gnu.org lists.gnu.org nvd.nist.gov support.apple.com ubuntu.com |
|
| HIGH |
CVE-2022-1304: e2fsprogs: out-of-bounds read/write via crafted filesystemAn out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.Package Name: libss2 Installed Version: 1.46.2-2 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org linux.oracle.com linux.oracle.com marc.info nvd.nist.gov ubuntu.com |
|
| HIGH |
CVE-2022-29458: ncurses: segfaulting OOB readncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.Package Name: libtinfo6 Installed Version: 6.2+20201114-2 Fixed Version: References: seclists.org access.redhat.com cve.mitre.org invisible-island.net lists.debian.org lists.gnu.org lists.gnu.org nvd.nist.gov support.apple.com ubuntu.com |
|
| HIGH |
CVE-2022-1304: e2fsprogs: out-of-bounds read/write via crafted filesystemAn out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.Package Name: logsave Installed Version: 1.46.2-2 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org linux.oracle.com linux.oracle.com marc.info nvd.nist.gov ubuntu.com |
|
| HIGH |
CVE-2022-29458: ncurses: segfaulting OOB readncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.Package Name: ncurses-base Installed Version: 6.2+20201114-2 Fixed Version: References: seclists.org access.redhat.com cve.mitre.org invisible-island.net lists.debian.org lists.gnu.org lists.gnu.org nvd.nist.gov support.apple.com ubuntu.com |
|
| HIGH |
CVE-2022-29458: ncurses: segfaulting OOB readncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.Package Name: ncurses-bin Installed Version: 6.2+20201114-2 Fixed Version: References: seclists.org access.redhat.com cve.mitre.org invisible-island.net lists.debian.org lists.gnu.org lists.gnu.org nvd.nist.gov support.apple.com ubuntu.com |
|
| HIGH |
CVE-2020-16156: perl-CPAN: Bypass of verification of signatures in CHECKSUMS filesCPAN 2.28 allows Signature Verification Bypass.Package Name: perl-base Installed Version: 5.32.1-4+deb11u2 Fixed Version: References: blogs.perl.org access.redhat.com blog.hackeriet.no cve.mitre.org lists.fedoraproject.org lists.fedoraproject.org metacpan.org ubuntu.com ubuntu.com |
|
| MEDIUM |
CVE-2022-3715: bash: a heap-buffer-overflow in valid_parameter_transformA flaw was found in the bash package, where a heap-buffer overflow can occur in valid_parameter_transform. This issue may lead to memory problems.Package Name: bash Installed Version: 5.1-2+deb11u1 Fixed Version: References: access.redhat.com cve.mitre.org lists.gnu.org |
|
| MEDIUM |
CVE-2021-45346: sqlite: crafted SQL query allows a malicious user to obtain sensitive information** DISPUTED ** A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.Package Name: libsqlite3-0 Installed Version: 3.34.1-3 Fixed Version: References: access.redhat.com github.com security.netapp.com sqlite.org sqlite.org www.sqlite.org |
|
| MEDIUM |
CVE-2022-2097: openssl: AES OCB fails to encrypt some bytesAES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).Package Name: libssl1.1 Installed Version: 1.1.1n-0+deb11u3 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org git.openssl.org git.openssl.org github.com linux.oracle.com linux.oracle.com lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov rustsec.org security.gentoo.org security.netapp.com ubuntu.com www.openssl.org |
|
| MEDIUM |
CVE-2022-3821: systemd: buffer overrun in format_timespan() functionAn off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.Package Name: libsystemd0 Installed Version: 247.3-7+deb11u1 Fixed Version: References: access.redhat.com bugzilla.redhat.com cve.mitre.org github.com github.com github.com lists.fedoraproject.org nvd.nist.gov |
|
| MEDIUM |
CVE-2022-3821: systemd: buffer overrun in format_timespan() functionAn off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.Package Name: libudev1 Installed Version: 247.3-7+deb11u1 Fixed Version: References: access.redhat.com bugzilla.redhat.com cve.mitre.org github.com github.com github.com lists.fedoraproject.org nvd.nist.gov |
|
| MEDIUM |
CVE-2022-2097: openssl: AES OCB fails to encrypt some bytesAES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).Package Name: openssl Installed Version: 1.1.1n-0+deb11u3 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org git.openssl.org git.openssl.org github.com linux.oracle.com linux.oracle.com lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov rustsec.org security.gentoo.org security.netapp.com ubuntu.com www.openssl.org |
|
| LOW |
CVE-2011-3374: It was found that apt-key in apt, all versions, do not correctly valid ...It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.Package Name: apt Installed Version: 2.2.4 Fixed Version: References: access.redhat.com bugs.debian.org people.canonical.com seclists.org security-tracker.debian.org snyk.io ubuntu.com |
|
| LOW |
CVE-2022-0563: util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadlineA flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.Package Name: bsdutils Installed Version: 2.36.1-8+deb11u1 Fixed Version: References: access.redhat.com lore.kernel.org nvd.nist.gov security.netapp.com |
|
| LOW |
CVE-2016-2781: coreutils: Non-privileged session can escape to the parent session in chrootchroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.Package Name: coreutils Installed Version: 8.32-4 Fixed Version: References: seclists.org www.openwall.com www.openwall.com access.redhat.com cve.mitre.org lists.apache.org lore.kernel.org nvd.nist.gov |
|
| LOW |
CVE-2017-18018: coreutils: race condition vulnerability in chown and chgrpIn GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.Package Name: coreutils Installed Version: 8.32-4 Fixed Version: References: lists.gnu.org access.redhat.com |
|
| LOW |
CVE-2011-3374: It was found that apt-key in apt, all versions, do not correctly valid ...It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.Package Name: libapt-pkg6.0 Installed Version: 2.2.4 Fixed Version: References: access.redhat.com bugs.debian.org people.canonical.com seclists.org security-tracker.debian.org snyk.io ubuntu.com |
|
| LOW |
CVE-2022-0563: util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadlineA flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.Package Name: libblkid1 Installed Version: 2.36.1-8+deb11u1 Fixed Version: References: access.redhat.com lore.kernel.org nvd.nist.gov security.netapp.com |
|
| LOW |
CVE-2010-4756: glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressionsThe glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.Package Name: libc-bin Installed Version: 2.31-13+deb11u5 Fixed Version: References: cxib.net securityreason.com securityreason.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com nvd.nist.gov |
|
| LOW |
CVE-2018-20796: glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.cIn the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\\1\\1|t1|\\\2537)+' in grep.Package Name: libc-bin Installed Version: 2.31-13+deb11u5 Fixed Version: References: www.securityfocus.com access.redhat.com debbugs.gnu.org lists.gnu.org nvd.nist.gov security.netapp.com support.f5.com |
|
| LOW |
CVE-2019-1010022: glibc: stack guard protection bypass** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."Package Name: libc-bin Installed Version: 2.31-13+deb11u5 Fixed Version: References: access.redhat.com security-tracker.debian.org sourceware.org sourceware.org ubuntu.com |
|
| LOW |
CVE-2019-1010023: glibc: running ldd on malicious ELF leads to code execution because of wrong size computation** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."Package Name: libc-bin Installed Version: 2.31-13+deb11u5 Fixed Version: References: www.securityfocus.com access.redhat.com security-tracker.debian.org sourceware.org support.f5.com ubuntu.com |
|
| LOW |
CVE-2019-1010024: glibc: ASLR bypass using cache of thread stack and heap** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."Package Name: libc-bin Installed Version: 2.31-13+deb11u5 Fixed Version: References: www.securityfocus.com access.redhat.com security-tracker.debian.org sourceware.org support.f5.com support.f5.com ubuntu.com |
|
| LOW |
CVE-2019-1010025: glibc: information disclosure of heap addresses of pthread_created thread** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability."Package Name: libc-bin Installed Version: 2.31-13+deb11u5 Fixed Version: References: access.redhat.com security-tracker.debian.org sourceware.org support.f5.com support.f5.com ubuntu.com |
|
| LOW |
CVE-2019-9192: glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\1\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.Package Name: libc-bin Installed Version: 2.31-13+deb11u5 Fixed Version: References: access.redhat.com nvd.nist.gov sourceware.org support.f5.com |
|
| LOW |
CVE-2010-4756: glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressionsThe glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.Package Name: libc6 Installed Version: 2.31-13+deb11u5 Fixed Version: References: cxib.net securityreason.com securityreason.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com nvd.nist.gov |
|
| LOW |
CVE-2018-20796: glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.cIn the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\\1\\1|t1|\\\2537)+' in grep.Package Name: libc6 Installed Version: 2.31-13+deb11u5 Fixed Version: References: www.securityfocus.com access.redhat.com debbugs.gnu.org lists.gnu.org nvd.nist.gov security.netapp.com support.f5.com |
|
| LOW |
CVE-2019-1010022: glibc: stack guard protection bypass** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."Package Name: libc6 Installed Version: 2.31-13+deb11u5 Fixed Version: References: access.redhat.com security-tracker.debian.org sourceware.org sourceware.org ubuntu.com |
|
| LOW |
CVE-2019-1010023: glibc: running ldd on malicious ELF leads to code execution because of wrong size computation** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."Package Name: libc6 Installed Version: 2.31-13+deb11u5 Fixed Version: References: www.securityfocus.com access.redhat.com security-tracker.debian.org sourceware.org support.f5.com ubuntu.com |
|
| LOW |
CVE-2019-1010024: glibc: ASLR bypass using cache of thread stack and heap** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."Package Name: libc6 Installed Version: 2.31-13+deb11u5 Fixed Version: References: www.securityfocus.com access.redhat.com security-tracker.debian.org sourceware.org support.f5.com support.f5.com ubuntu.com |
|
| LOW |
CVE-2019-1010025: glibc: information disclosure of heap addresses of pthread_created thread** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability."Package Name: libc6 Installed Version: 2.31-13+deb11u5 Fixed Version: References: access.redhat.com security-tracker.debian.org sourceware.org support.f5.com support.f5.com ubuntu.com |
|
| LOW |
CVE-2019-9192: glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\1\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.Package Name: libc6 Installed Version: 2.31-13+deb11u5 Fixed Version: References: access.redhat.com nvd.nist.gov sourceware.org support.f5.com |
|
| LOW |
CVE-2013-0340: expat: internal entity expansionexpat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.Package Name: libexpat1 Installed Version: 2.2.10-2+deb11u5 Fixed Version: References: openwall.com seclists.org seclists.org seclists.org seclists.org seclists.org seclists.org seclists.org seclists.org seclists.org securitytracker.com www.openwall.com www.openwall.com www.osvdb.org www.securityfocus.com access.redhat.com lists.apache.org lists.apache.org nvd.nist.gov security.gentoo.org support.apple.com support.apple.com support.apple.com support.apple.com support.apple.com support.apple.com |
|
| LOW |
CVE-2018-6829: libgcrypt: ElGamal implementation doesn't have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive informationcipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.Package Name: libgcrypt20 Installed Version: 1.8.7-6 Fixed Version: References: access.redhat.com github.com github.com lists.gnupg.org www.oracle.com |
|
| LOW |
CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.Package Name: libgnutls30 Installed Version: 3.7.1-5+deb11u2 Fixed Version: References: arcticdog.wordpress.com blog.mozilla.com blogs.technet.com blogs.technet.com curl.haxx.se downloads.asterisk.org ekoparty.org eprint.iacr.org eprint.iacr.org googlechromereleases.blogspot.com isc.sans.edu lists.apple.com lists.apple.com lists.apple.com lists.apple.com lists.apple.com lists.apple.com lists.apple.com lists.opensuse.org lists.opensuse.org lists.opensuse.org lists.opensuse.org marc.info marc.info marc.info marc.info marc.info marc.info my.opera.com osvdb.org rhn.redhat.com rhn.redhat.com secunia.com secunia.com secunia.com secunia.com secunia.com secunia.com secunia.com secunia.com secunia.com secunia.com security.gentoo.org security.gentoo.org support.apple.com support.apple.com support.apple.com support.apple.com support.apple.com support.apple.com technet.microsoft.com vnhacker.blogspot.com www.apcmedia.com www.debian.org www.educatedguesswork.org www.ibm.com www.imperialviolet.org www.insecure.cl www.kb.cert.org www.mandriva.com www.opera.com www.opera.com www.opera.com www.opera.com www.opera.com www.opera.com www.opera.com www.oracle.com www.oracle.com www.oracle.com www.redhat.com www.redhat.com www.securityfocus.com www.securityfocus.com www.securitytracker.com www.securitytracker.com www.securitytracker.com www.securitytracker.com www.ubuntu.com www.us-cert.gov access.redhat.com blogs.oracle.com bugzilla.novell.com bugzilla.redhat.com cert-portal.siemens.com cve.mitre.org docs.microsoft.com h20564.www2.hp.com hermes.opensuse.org hermes.opensuse.org ics-cert.us-cert.gov linux.oracle.com linux.oracle.com oval.cisecurity.org ubuntu.com |
|
| LOW |
CVE-2004-0971: security flawThe krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.Package Name: libgssapi-krb5-2 Installed Version: 1.18.3-6+deb11u3 Fixed Version: References: bugzilla.redhat.com www.gentoo.org www.redhat.com www.securityfocus.com www.trustix.org access.redhat.com exchange.xforce.ibmcloud.com lists.apache.org oval.cisecurity.org |
|
| LOW |
CVE-2018-5709: krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.cAn issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.Package Name: libgssapi-krb5-2 Installed Version: 1.18.3-6+deb11u3 Fixed Version: References: access.redhat.com github.com lists.apache.org |
|
| LOW |
CVE-2004-0971: security flawThe krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.Package Name: libk5crypto3 Installed Version: 1.18.3-6+deb11u3 Fixed Version: References: bugzilla.redhat.com www.gentoo.org www.redhat.com www.securityfocus.com www.trustix.org access.redhat.com exchange.xforce.ibmcloud.com lists.apache.org oval.cisecurity.org |
|
| LOW |
CVE-2018-5709: krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.cAn issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.Package Name: libk5crypto3 Installed Version: 1.18.3-6+deb11u3 Fixed Version: References: access.redhat.com github.com lists.apache.org |
|
| LOW |
CVE-2004-0971: security flawThe krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.Package Name: libkrb5-3 Installed Version: 1.18.3-6+deb11u3 Fixed Version: References: bugzilla.redhat.com www.gentoo.org www.redhat.com www.securityfocus.com www.trustix.org access.redhat.com exchange.xforce.ibmcloud.com lists.apache.org oval.cisecurity.org |
|
| LOW |
CVE-2018-5709: krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.cAn issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.Package Name: libkrb5-3 Installed Version: 1.18.3-6+deb11u3 Fixed Version: References: access.redhat.com github.com lists.apache.org |
|
| LOW |
CVE-2004-0971: security flawThe krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.Package Name: libkrb5support0 Installed Version: 1.18.3-6+deb11u3 Fixed Version: References: bugzilla.redhat.com www.gentoo.org www.redhat.com www.securityfocus.com www.trustix.org access.redhat.com exchange.xforce.ibmcloud.com lists.apache.org oval.cisecurity.org |
|
| LOW |
CVE-2018-5709: krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.cAn issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.Package Name: libkrb5support0 Installed Version: 1.18.3-6+deb11u3 Fixed Version: References: access.redhat.com github.com lists.apache.org |
|
| LOW |
CVE-2022-0563: util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadlineA flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.Package Name: libmount1 Installed Version: 2.36.1-8+deb11u1 Fixed Version: References: access.redhat.com lore.kernel.org nvd.nist.gov security.netapp.com |
|
| LOW |
CVE-2021-39537: ncurses: heap-based buffer overflow in _nc_captoinfo() in captoinfo.cAn issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.Package Name: libncursesw6 Installed Version: 6.2+20201114-2 Fixed Version: References: cvsweb.netbsd.org seclists.org seclists.org seclists.org seclists.org access.redhat.com cve.mitre.org lists.gnu.org lists.gnu.org nvd.nist.gov support.apple.com support.apple.com support.apple.com ubuntu.com |
|
| LOW |
CVE-2017-11164: pcre: OP_KETRMAX feature in the match function in pcre_exec.cIn PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.Package Name: libpcre3 Installed Version: 2:8.39-13 Fixed Version: References: openwall.com www.securityfocus.com access.redhat.com cve.mitre.org lists.apache.org |
|
| LOW |
CVE-2017-16231: pcre: self-recursive call in match() in pcre_exec.c leads to denial of service** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.Package Name: libpcre3 Installed Version: 2:8.39-13 Fixed Version: References: packetstormsecurity.com seclists.org www.openwall.com www.openwall.com www.openwall.com www.openwall.com www.securityfocus.com access.redhat.com bugs.exim.org |
|
| LOW |
CVE-2017-7245: pcre: stack-based buffer overflow write in pcre32_copy_substringStack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.Package Name: libpcre3 Installed Version: 2:8.39-13 Fixed Version: References: www.securityfocus.com access.redhat.com access.redhat.com blogs.gentoo.org security.gentoo.org |
|
| LOW |
CVE-2017-7246: pcre: stack-based buffer overflow write in pcre32_copy_substringStack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.Package Name: libpcre3 Installed Version: 2:8.39-13 Fixed Version: References: www.securityfocus.com access.redhat.com access.redhat.com blogs.gentoo.org security.gentoo.org |
|
| LOW |
CVE-2019-20838: pcre: Buffer over-read in JIT when UTF is disabled and \X or \R has fixed quantifier greater than 1libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454.Package Name: libpcre3 Installed Version: 2:8.39-13 Fixed Version: References: seclists.org seclists.org access.redhat.com access.redhat.com access.redhat.com bugs.gentoo.org cve.mitre.org errata.almalinux.org linux.oracle.com linux.oracle.com lists.apache.org nvd.nist.gov support.apple.com support.apple.com ubuntu.com www.pcre.org |
|
| LOW |
CVE-2021-36084: libsepol: use-after-free in __cil_verify_classperms()The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).Package Name: libsepol1 Installed Version: 3.1-1 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugs.chromium.org cve.mitre.org errata.almalinux.org github.com github.com linux.oracle.com linux.oracle.com lists.fedoraproject.org ubuntu.com |
|
| LOW |
CVE-2021-36085: libsepol: use-after-free in __cil_verify_classperms()The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).Package Name: libsepol1 Installed Version: 3.1-1 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugs.chromium.org cve.mitre.org errata.almalinux.org github.com github.com linux.oracle.com linux.oracle.com lists.fedoraproject.org ubuntu.com |
|
| LOW |
CVE-2021-36086: libsepol: use-after-free in cil_reset_classpermission()The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).Package Name: libsepol1 Installed Version: 3.1-1 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugs.chromium.org cve.mitre.org errata.almalinux.org github.com github.com linux.oracle.com linux.oracle.com lists.fedoraproject.org ubuntu.com |
|
| LOW |
CVE-2021-36087: libsepol: heap-based buffer overflow in ebitmap_match_any()The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.Package Name: libsepol1 Installed Version: 3.1-1 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugs.chromium.org cve.mitre.org errata.almalinux.org github.com github.com linux.oracle.com linux.oracle.com lists.fedoraproject.org lore.kernel.org ubuntu.com |
|
| LOW |
CVE-2022-0563: util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadlineA flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.Package Name: libsmartcols1 Installed Version: 2.36.1-8+deb11u1 Fixed Version: References: access.redhat.com lore.kernel.org nvd.nist.gov security.netapp.com |
|
| LOW |
CVE-2021-36690: ** DISPUTED ** A segmentation fault can occur in the sqlite3.exe comma ...** DISPUTED ** A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance of this report because a sqlite3.exe user already has full privileges (e.g., is intentionally allowed to execute commands). This report does NOT imply any problem in the SQLite library.Package Name: libsqlite3-0 Installed Version: 3.34.1-3 Fixed Version: References: seclists.org seclists.org seclists.org seclists.org seclists.org cve.mitre.org nvd.nist.gov support.apple.com support.apple.com support.apple.com support.apple.com ubuntu.com www.sqlite.org |
|
| LOW |
CVE-2022-35737: sqlite: an array-bounds overflow if billions of bytes are used in a string argument to a C APISQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.Package Name: libsqlite3-0 Installed Version: 3.34.1-3 Fixed Version: References: access.redhat.com blog.trailofbits.com cve.mitre.org kb.cert.org nvd.nist.gov security.gentoo.org security.netapp.com sqlite.org ubuntu.com ubuntu.com ubuntu.com www.sqlite.org www.sqlite.org |
|
| LOW |
CVE-2007-6755: Dual_EC_DRBG: weak pseudo random number generatorThe NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.Package Name: libssl1.1 Installed Version: 1.1.1n-0+deb11u3 Fixed Version: References: arstechnica.com blog.cryptographyengineering.com blog.cryptographyengineering.com rump2007.cr.yp.to stream.wsj.com threatpost.com www.securityfocus.com access.redhat.com www.schneier.com |
|
| LOW |
CVE-2010-0928: openssl: RSA authentication weaknessOpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."Package Name: libssl1.1 Installed Version: 1.1.1n-0+deb11u3 Fixed Version: References: rdist.root.org www.eecs.umich.edu www.networkworld.com www.osvdb.org www.theregister.co.uk access.redhat.com exchange.xforce.ibmcloud.com |
|
| LOW |
CVE-2013-4392: systemd: TOCTOU race condition when updating file permissions and SELinux security contextssystemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.Package Name: libsystemd0 Installed Version: 247.3-7+deb11u1 Fixed Version: References: bugs.debian.org www.openwall.com access.redhat.com bugzilla.redhat.com |
|
| LOW |
CVE-2020-13529: systemd: DHCP FORCERENEW authentication not implemented can cause a system running the DHCP client to have its network reconfiguredAn exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.Package Name: libsystemd0 Installed Version: 247.3-7+deb11u1 Fixed Version: References: www.openwall.com www.openwall.com www.openwall.com access.redhat.com cve.mitre.org linux.oracle.com linux.oracle.com lists.fedoraproject.org security.gentoo.org security.netapp.com talosintelligence.com ubuntu.com ubuntu.com |
|
| LOW |
CVE-2021-39537: ncurses: heap-based buffer overflow in _nc_captoinfo() in captoinfo.cAn issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.Package Name: libtinfo6 Installed Version: 6.2+20201114-2 Fixed Version: References: cvsweb.netbsd.org seclists.org seclists.org seclists.org seclists.org access.redhat.com cve.mitre.org lists.gnu.org lists.gnu.org nvd.nist.gov support.apple.com support.apple.com support.apple.com ubuntu.com |
|
| LOW |
CVE-2013-4392: systemd: TOCTOU race condition when updating file permissions and SELinux security contextssystemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.Package Name: libudev1 Installed Version: 247.3-7+deb11u1 Fixed Version: References: bugs.debian.org www.openwall.com access.redhat.com bugzilla.redhat.com |
|
| LOW |
CVE-2020-13529: systemd: DHCP FORCERENEW authentication not implemented can cause a system running the DHCP client to have its network reconfiguredAn exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.Package Name: libudev1 Installed Version: 247.3-7+deb11u1 Fixed Version: References: www.openwall.com www.openwall.com www.openwall.com access.redhat.com cve.mitre.org linux.oracle.com linux.oracle.com lists.fedoraproject.org security.gentoo.org security.netapp.com talosintelligence.com ubuntu.com ubuntu.com |
|
| LOW |
CVE-2022-0563: util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadlineA flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.Package Name: libuuid1 Installed Version: 2.36.1-8+deb11u1 Fixed Version: References: access.redhat.com lore.kernel.org nvd.nist.gov security.netapp.com |
|
| LOW |
CVE-2007-5686: initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ...initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.Package Name: login Installed Version: 1:4.8.1-1 Fixed Version: References: secunia.com www.securityfocus.com www.securityfocus.com www.securityfocus.com www.vupen.com issues.rpath.com |
|
| LOW |
CVE-2013-4235: shadow-utils: TOCTOU race conditions by copying and removing directory treesshadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory treesPackage Name: login Installed Version: 1:4.8.1-1 Fixed Version: References: access.redhat.com access.redhat.com bugs.launchpad.net bugzilla.redhat.com cve.mitre.org github.com github.com lists.apache.org security-tracker.debian.org security.gentoo.org ubuntu.com ubuntu.com |
|
| LOW |
CVE-2019-19882: shadow-utils: local users can obtain root access because setuid programs are misconfiguredshadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).Package Name: login Installed Version: 1:4.8.1-1 Fixed Version: References: access.redhat.com bugs.archlinux.org bugs.gentoo.org github.com github.com github.com security.gentoo.org |
|
| LOW |
CVE-2022-0563: util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadlineA flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.Package Name: mount Installed Version: 2.36.1-8+deb11u1 Fixed Version: References: access.redhat.com lore.kernel.org nvd.nist.gov security.netapp.com |
|
| LOW |
CVE-2021-39537: ncurses: heap-based buffer overflow in _nc_captoinfo() in captoinfo.cAn issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.Package Name: ncurses-base Installed Version: 6.2+20201114-2 Fixed Version: References: cvsweb.netbsd.org seclists.org seclists.org seclists.org seclists.org access.redhat.com cve.mitre.org lists.gnu.org lists.gnu.org nvd.nist.gov support.apple.com support.apple.com support.apple.com ubuntu.com |
|
| LOW |
CVE-2021-39537: ncurses: heap-based buffer overflow in _nc_captoinfo() in captoinfo.cAn issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.Package Name: ncurses-bin Installed Version: 6.2+20201114-2 Fixed Version: References: cvsweb.netbsd.org seclists.org seclists.org seclists.org seclists.org access.redhat.com cve.mitre.org lists.gnu.org lists.gnu.org nvd.nist.gov support.apple.com support.apple.com support.apple.com ubuntu.com |
|
| LOW |
CVE-2007-6755: Dual_EC_DRBG: weak pseudo random number generatorThe NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.Package Name: openssl Installed Version: 1.1.1n-0+deb11u3 Fixed Version: References: arstechnica.com blog.cryptographyengineering.com blog.cryptographyengineering.com rump2007.cr.yp.to stream.wsj.com threatpost.com www.securityfocus.com access.redhat.com www.schneier.com |
|
| LOW |
CVE-2010-0928: openssl: RSA authentication weaknessOpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."Package Name: openssl Installed Version: 1.1.1n-0+deb11u3 Fixed Version: References: rdist.root.org www.eecs.umich.edu www.networkworld.com www.osvdb.org www.theregister.co.uk access.redhat.com exchange.xforce.ibmcloud.com |
|
| LOW |
CVE-2007-5686: initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ...initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.Package Name: passwd Installed Version: 1:4.8.1-1 Fixed Version: References: secunia.com www.securityfocus.com www.securityfocus.com www.securityfocus.com www.vupen.com issues.rpath.com |
|
| LOW |
CVE-2013-4235: shadow-utils: TOCTOU race conditions by copying and removing directory treesshadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory treesPackage Name: passwd Installed Version: 1:4.8.1-1 Fixed Version: References: access.redhat.com access.redhat.com bugs.launchpad.net bugzilla.redhat.com cve.mitre.org github.com github.com lists.apache.org security-tracker.debian.org security.gentoo.org ubuntu.com ubuntu.com |
|
| LOW |
CVE-2019-19882: shadow-utils: local users can obtain root access because setuid programs are misconfiguredshadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).Package Name: passwd Installed Version: 1:4.8.1-1 Fixed Version: References: access.redhat.com bugs.archlinux.org bugs.gentoo.org github.com github.com github.com security.gentoo.org |
|
| LOW |
CVE-2011-4116: perl: File::Temp insecure temporary file handling_is_safe in the File::Temp module for Perl does not properly handle symlinks.Package Name: perl-base Installed Version: 5.32.1-4+deb11u2 Fixed Version: References: www.openwall.com www.openwall.com access.redhat.com github.com rt.cpan.org seclists.org |
|
| LOW |
CVE-2005-2541: tar: does not properly warn the user when extracting setuid or setgid filesTar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.Package Name: tar Installed Version: 1.34+dfsg-1 Fixed Version: References: marc.info access.redhat.com lists.apache.org |
|
| LOW |
CVE-2022-0563: util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadlineA flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.Package Name: util-linux Installed Version: 2.36.1-8+deb11u1 Fixed Version: References: access.redhat.com lore.kernel.org nvd.nist.gov security.netapp.com |
|
Loading...
You can embed a badge in another website that shows this or the latest version of this package.
To embed the badge for this specific package version, use the following:
[](https://cloudsmith.io/~cloudsmith/repos/actions-images/packages/detail/docker/python/b4e492dd480a64c1436e448735acc6435a574664eabb88e744b428ac3baa646d/a=amd64;xpo=linux/)|This version of 'python' @ Cloudsmith|
.. |This version of 'python' @ Cloudsmith| image:: https://api-prd.cloudsmith.io/v1/badges/version/cloudsmith/actions-images/docker/python/3.8-slim-amd64/a=amd64;xpo=linux/?render=true
:target: https://cloudsmith.io/~cloudsmith/repos/actions-images/packages/detail/docker/python/b4e492dd480a64c1436e448735acc6435a574664eabb88e744b428ac3baa646d/a=amd64;xpo=linux/image::https://api-prd.cloudsmith.io/v1/badges/version/cloudsmith/actions-images/docker/python/3.8-slim-amd64/a=amd64;xpo=linux/?render=true[link="https://cloudsmith.io/~cloudsmith/repos/actions-images/packages/detail/docker/python/b4e492dd480a64c1436e448735acc6435a574664eabb88e744b428ac3baa646d/a=amd64;xpo=linux/",title="This version of 'python' @ Cloudsmith"]<a href="https://cloudsmith.io/~cloudsmith/repos/actions-images/packages/detail/docker/python/b4e492dd480a64c1436e448735acc6435a574664eabb88e744b428ac3baa646d/a=amd64;xpo=linux/"><img src="https://api-prd.cloudsmith.io/v1/badges/version/cloudsmith/actions-images/docker/python/3.8-slim-amd64/a=amd64;xpo=linux/?render=true" alt="This version of 'python' @ Cloudsmith" /></a>rendered as:
To embed the badge for the latest package version, use the following:
[](https://cloudsmith.io/~cloudsmith/repos/actions-images/packages/detail/docker/python/latest/a=amd64;xpo=linux/)|Latest version of 'python' @ Cloudsmith|
.. |Latest version of 'python' @ Cloudsmith| image:: https://api-prd.cloudsmith.io/v1/badges/version/cloudsmith/actions-images/docker/python/latest/a=amd64;xpo=linux/?render=true&show_latest=true
:target: https://cloudsmith.io/~cloudsmith/repos/actions-images/packages/detail/docker/python/latest/a=amd64;xpo=linux/image::https://api-prd.cloudsmith.io/v1/badges/version/cloudsmith/actions-images/docker/python/latest/a=amd64;xpo=linux/?render=true&show_latest=true[link="https://cloudsmith.io/~cloudsmith/repos/actions-images/packages/detail/docker/python/latest/a=amd64;xpo=linux/",title="Latest version of 'python' @ Cloudsmith"]<a href="https://cloudsmith.io/~cloudsmith/repos/actions-images/packages/detail/docker/python/latest/a=amd64;xpo=linux/"><img src="https://api-prd.cloudsmith.io/v1/badges/version/cloudsmith/actions-images/docker/python/latest/a=amd64;xpo=linux/?render=true&show_latest=true" alt="Latest version of 'python' @ Cloudsmith" /></a>rendered as:
These instructions assume you have setup the repository first (or read it).
To pull python @ reference/tag 3.8-slim-amd64:
docker pull docker.cloudsmith.io/cloudsmith/actions-images/python:3.8-slim-amd64You can also pull the latest version of this image (if it exists):
docker pull docker.cloudsmith.io/cloudsmith/actions-images/python:latestTo refer to this image after pulling in a Dockerfile, specify the following:
FROM docker.cloudsmith.io/cloudsmith/actions-images/python:3.8-slim-amd64
Previous Version
