Package Search Help

You can use boolean logic (e.g. AND/OR/NOT) for complex search queries. For more help and examples, see the search documentation.

Search by package name:
my-package (implicit)
name:my-package (explicit)

Search by package filename:
my-package.ext (implicit)
filename:my-package.ext (explicit)

Search by package tag:
latest (implicit)
tag:latest (explicit)

Search by package version:
1.0.0 (implicit)
version:1.0.0 (explicit)
prerelease:true (prereleases)
prerelease:false (no prereleases)

Search by package architecture:
architecture:x86_64 

Search by package distribution:
distribution:el 

Search by package license:
license:MIT 

Search by package format:
format:deb 

Search by package status:
status:in_progress 

Search by package file checksum:
checksum:5afba 

Search by package security status:
severity:critical 

Search by package vulnerabilities:
vulnerabilities:>1 
vulnerabilities:<1000 

Search by # of package downloads:
downloads:>8 
downloads:<100 

Search by package type:
type:binary 
type:source 

Search by package size (bytes):
size:>50000 
size:<10000 

Search by dependency name/version:
dependency:log4j 
dependency:log4j=1.0.0 
dependency:log4j>1.0.0 

Search by uploaded date:
uploaded:>"1 day ago" 
uploaded:<"August 14, 2022 EST" 

Search by entitlement token (identifier):
entitlement:3lKPVJPosCsY 

Search by policy violation:
policy_violated:true
deny_policy_violated:true
license_policy_violated:true
vulnerability_policy_violated:true

Search by repository:
repository:repo-name

Search queries for all Debian-specific (and related) package types

Search by component:
deb_component:unstable

Search queries for all Maven-specific (and related) package types

Search by group ID:
maven_group_id:org.apache

Search queries for all Docker-specific (and related) package types

Search by image digest:
docker_image_digest:sha256:7c5..6d4
(full hashref only)

Search by layer digest:
docker_layer_digest:sha256:4c4..ae4
(full hashref only)

Field type modifiers (depending on the type, you can influence behaviour)

For all queries, you can use:
~foo for negation

For string queries, you can use:
^foo to anchor to start of term
foo$ to anchor to end of term
foo*bar for fuzzy matching

For number/date or version queries, you can use:
>foo for values greater than
>=foo for values greater / equal
<foo for values less than
<=foo for values less / equal

Need a secure and centralised artifact repository to deliver Alpine, Cargo, CocoaPods, Composer, Conan, Conda, CRAN, Dart, Debian, Docker, Go, Helm, Hex, LuaRocks, Maven, npm, NuGet, P2, Python, RedHat, Ruby, Swift, Terraform, Vagrant, Raw & More packages?

Cloudsmith is the new standard in Package / Artifact Management and Software Distribution.

With support for all major package formats, you can trust us to manage your software supply chain.

Start My Free Trial
Note: Packages in this repository are licensed as Apache License 2.0 (dependencies may be licensed differently).

Docker logo publish  3543bd6e7488bee6aa5909ec5f5ā€¦

One-liner (summary)

A certifiably-awesome package curated by Examples Bot, hosted by Cloudsmith.

Description

A certifiably-awesome package curated by Examples Bot, hosted by Cloudsmith.

License

Unknown

Size

24.3 MB

Downloads

1002

Tags

image amd64 linux

Status  Completed
GPG Signature
Storage Region  Dublin, Ireland
Type  Binary (contains binaries and binary artifacts)
Uploaded At 5 years, 1 month ago
Uploaded By csm-examples-bot
Slug Id publish-4
Unique Id wJqpGLkmMhSE
Version (Raw) 3543bd6e7488bee6aa5909ec5f525f8422528de95c3638a88fe9eceea5fff1d4
Version (Parsed)
  • Type: Unknown
  docker-specific metadata
Image Digest sha256:3543bd6e7488bee6aa5909ec5f525f8422528de95c3638a88fe9eceea5fff1d4
Config Digest sha256:8fc847f4b70249a4150b5aed39093a545806151eae2ffa3c06dfe39ce49c0fe9
V2 Distribution Digest sha256:3543bd6e7488bee6aa5909ec5f525f8422528de95c3638a88fe9eceea5fff1d4
V2 Distribution List Digest sha256:2b7e7185aa146d4f9fe6d8a70c5d475a6964eea4aa286ffd38217d8b81f3b8b3
V1 OCI Index Digest sha256:8253abb635cb561c2a519ca1582f6814d921249938b4cd2ee306ec597827f5d7
V1 Distribution (Signed) Digest sha256:7983ba508255df87e5b5fdcc433f9dad233a159fdceb91917178865e125b01d3
V1 OCI Digest sha256:9c5273f45402d0c5c75a4326c4ae6dababfe5ec072f119da5fcb5638d8d006b4
V1 Distribution Digest sha256:ec84ece80f5ca2181be6d281108eda3c3e7a19c9fc6948f600b4ddde22e61104
  extended metadata
Architecture amd64
Config
Container 05baccaa2fc79d911a09aaf329d5a323b768e22aadd1179cccfb52dcd8f43e2b
Container Config
Created 2019-12-09 22:50:25 UTC
Docker Version 18.09.1
Os linux

This package was uploaded with the following V2 Distribution manifest:

{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "config": {
      "mediaType": "application/vnd.docker.container.image.v1+json",
      "digest": "sha256:3bea83aa549faa539263719e7ca0d8ae7ada299f3e4ab2af975295a641b8d4f0"
   },
   "layers": [
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "digest": "sha256:c87736221ed0bcaa60b8e92a19bec2284899ef89226f2a07968677cf59e637a4"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "digest": "sha256:81d020c7ae84eacb409907ee15e96669428d464ff0ecfad624d02ccd28f049fd"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "digest": "sha256:8f5ad7e774b3e4f09e94f4ace1bbff187fc99e448927f2adcd5ed11e29e4d39c"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "digest": "sha256:c7f58bcc220aeec92a5d708a0842c2ecfeff6fda62370bd10573d6ec86da6ac2"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "digest": "sha256:c7f58bcc220aeec92a5d708a0842c2ecfeff6fda62370bd10573d6ec86da6ac2"
      }
   ]
}
Digest: sha256:c87736221ed0bcaa60b8e92a19bec2284899ef89226f2a07968677cf59e637a4
Command: /bin/sh -c #(nop) ADD file:38bc6b51693b13d84a63e281403e2f6d0218c44b1d7ff12157c4523f9f0ebb1e in /
2.1 MB
Digest: sha256:81d020c7ae84eacb409907ee15e96669428d464ff0ecfad624d02ccd28f049fd
Command: /bin/sh -c #(nop) CMD ["/bin/sh"]
17.3 MB
Digest: sha256:8f5ad7e774b3e4f09e94f4ace1bbff187fc99e448927f2adcd5ed11e29e4d39c
Command: /bin/sh -c apk update && apk add bash python3
4.9 MB
Digest: sha256:c7f58bcc220aeec92a5d708a0842c2ecfeff6fda62370bd10573d6ec86da6ac2
Command: /bin/sh -c pip3 install cloudsmith-cli==0.10.0
1.5 KB
Digest: sha256:c7f58bcc220aeec92a5d708a0842c2ecfeff6fda62370bd10573d6ec86da6ac2
Command: /bin/sh -c #(nop) ENTRYPOINT ["/pipe.sh"]
1.5 KB

Last scanned

1 day, 9 hours ago

Scan result

Vulnerable

Vulnerability count

16

Max. severity

Critical
Target: . (alpine 3.8.4)
CRITICAL

CVE-2019-14697: musl libc through 1.1.23 has an x87 floating-point stack adjustment im ...

musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.

Package Name: musl
Installed Version: 1.1.19-r10
Fixed Version: 1.1.19-r11

References: www.openwall.com git.musl-libc.org git.musl-libc.org security.gentoo.org ubuntu.com www.cve.org www.openwall.com www.openwall.com
CRITICAL

CVE-2019-14697: musl libc through 1.1.23 has an x87 floating-point stack adjustment im ...

musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.

Package Name: musl-utils
Installed Version: 1.1.19-r10
Fixed Version: 1.1.19-r11

References: www.openwall.com git.musl-libc.org git.musl-libc.org security.gentoo.org ubuntu.com www.cve.org www.openwall.com www.openwall.com
HIGH

CVE-2019-19244: sqlite: allows a crash if a sub-select uses both DISTINCT and window functions and also has certain ORDER BY usage

sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.

Package Name: sqlite-libs
Installed Version: 3.25.3-r2
Fixed Version: 3.25.3-r3

References: access.redhat.com cert-portal.siemens.com github.com nvd.nist.gov ubuntu.com usn.ubuntu.com www.cve.org www.oracle.com
MEDIUM

CVE-2019-19242: sqlite: SQL injection in sqlite3ExprCodeTarget in expr.c

SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.

Package Name: sqlite-libs
Installed Version: 3.25.3-r2
Fixed Version: 3.25.3-r3

References: access.redhat.com cert-portal.siemens.com github.com nvd.nist.gov ubuntu.com usn.ubuntu.com www.cve.org www.oracle.com
Target: Python
HIGH

CVE-2023-37920: python-certifi: Removal of e-Tugra root certificate

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.

Package Name: certifi
Installed Version: 2019.11.28
Fixed Version: 2023.7.22

References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org github.com github.com github.com github.com groups.google.com linux.oracle.com linux.oracle.com lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov www.cve.org
HIGH

CVE-2022-40899: python-future: remote attackers can cause denial of service via crafted Set-Cookie header from malicious web server

An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.

Package Name: future
Installed Version: 0.18.2
Fixed Version: 0.18.3

References: access.redhat.com github.com github.com github.com github.com github.com github.com nvd.nist.gov pypi.org pypi.org pyup.io pyup.io ubuntu.com www.cve.org
HIGH

CVE-2020-7212: python-urllib3: inefficient algorithm allows a DoS (CPU consumption) in _encode_invalid_chars function in util/url.py

The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).

Package Name: urllib3
Installed Version: 1.25.7
Fixed Version: 1.25.8

References: access.redhat.com bugzilla.novell.com github.com github.com github.com github.com github.com nvd.nist.gov pypi.org pypi.org www.cve.org
HIGH

CVE-2021-33503: python-urllib3: ReDoS in the parsing of authority part of URL

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Package Name: urllib3
Installed Version: 1.25.7
Fixed Version: 1.26.5

References: access.redhat.com errata.almalinux.org github.com github.com github.com github.com github.com github.com linux.oracle.com linux.oracle.com lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.gentoo.org ubuntu.com www.cve.org www.oracle.com
HIGH

CVE-2023-43804: python-urllib3: Cookie request header isn't stripped during cross-origin redirects

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

Package Name: urllib3
Installed Version: 1.25.7
Fixed Version: 2.0.6, 1.26.17

References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com github.com github.com linux.oracle.com linux.oracle.com lists.debian.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.netapp.com security.netapp.com ubuntu.com ubuntu.com www.cve.org www.vicarius.io
MEDIUM

CVE-2022-23491: python-certifi: untrusted root certificates

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Package Name: certifi
Installed Version: 2019.11.28
Fixed Version: 2022.12.07

References: access.redhat.com github.com github.com github.com github.com groups.google.com nvd.nist.gov ubuntu.com ubuntu.com www.cve.org
MEDIUM

CVE-2024-3651: python-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode()

A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.

Package Name: idna
Installed Version: 2.8
Fixed Version: 3.7

References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com github.com huntr.com linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com www.cve.org
MEDIUM

CVE-2023-32681: python-requests: Unintended leak of Proxy-Authorization header

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.

Package Name: requests
Installed Version: 2.22.0
Fixed Version: 2.31.0

References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com github.com github.com linux.oracle.com linux.oracle.com lists.debian.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.gentoo.org ubuntu.com ubuntu.com www.cve.org
MEDIUM

CVE-2024-35195: requests: subsequent requests to the same host ignore cert verification

Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.

Package Name: requests
Installed Version: 2.22.0
Fixed Version: 2.32.0

References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com github.com linux.oracle.com linux.oracle.com lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov www.cve.org
MEDIUM

CVE-2020-26137: python-urllib3: CRLF injection via HTTP request method

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Package Name: urllib3
Installed Version: 1.25.7
Fixed Version: 1.25.9

References: access.redhat.com bugs.python.org bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com github.com linux.oracle.com linux.oracle.com lists.debian.org lists.debian.org nvd.nist.gov ubuntu.com usn.ubuntu.com usn.ubuntu.com www.cve.org www.oracle.com www.oracle.com
MEDIUM

CVE-2023-45803: urllib3: Request body not stripped after redirect from 303 status changes request method to GET

urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.

Package Name: urllib3
Installed Version: 1.25.7
Fixed Version: 2.0.7, 1.26.18

References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com github.com github.com github.com github.com github.com linux.oracle.com linux.oracle.com lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov ubuntu.com ubuntu.com www.cve.org www.rfc-editor.org
MEDIUM

CVE-2024-37891: urllib3: proxy-authorization request header is not stripped during cross-origin redirects

urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.

Package Name: urllib3
Installed Version: 1.25.7
Fixed Version: 1.26.19, 2.2.2

References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com github.com linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com ubuntu.com www.cve.org

These instructions assume you have setup the repository first (or read it).

To pull publish @ reference/tag 0.3.0:

docker pull docker.cloudsmith.io/cloudsmith/bitbucket-pipes/publish:0.3.0

You can also pull the latest version of this image (if it exists):

docker pull docker.cloudsmith.io/cloudsmith/bitbucket-pipes/publish:latest

To refer to this image after pulling in a Dockerfile, specify the following:

FROM docker.cloudsmith.io/cloudsmith/bitbucket-pipes/publish:0.3.0