Cloudsmith - Repositories - demo-docs (demo-docs) - awesome-repo (awesome-repo) - nginx

Package Search Help

You can use boolean logic (e.g. AND/OR/NOT) for complex search queries. For more help and examples, see the search documentation.

Search by package name:
my-package _(implicit)
name:my-package _(explicit)

Search by package filename:
filename:my-package.ext

Search by package tag:
tag:latest

Search by package version:
version:1.0.0 prerelease:true _{(prereleases)}
prerelease:false _{(no prereleases)}

Search by package architecture:
architecture:x86_64

Search by package distribution:
distribution:el

Search by package license:
license:MIT

Search by package format:
format:deb

Search by package status:
status:in_progress

Search by package file checksum:
checksum:5afba

Search by package security status:
severity:critical

Search by package vulnerabilities:
vulnerabilities:>1
vulnerabilities:<1000

Search by # of package downloads:
downloads:>8
downloads:<100

Search by package type:
type:binary
type:source

Search by package size (bytes):
size:>50000
size:<10000

Search by dependency name/version:
dependency:log4j
dependency:log4j=1.0.0
dependency:log4j>1.0.0

Search by uploaded date:
uploaded:>"1 day ago"
uploaded:<"August 14, 2022 EST"

Search by entitlement token (identifier):
entitlement:3lKPVJPosCsY

Search by policy violation:
policy_violated:true
deny_policy_violated:true
license_policy_violated:true
vulnerability_policy_violated:true

Search by repository:
repository:repo-name

Search by last download date:
last_downloaded:<"30 days ago"
last_downloaded:>"August 14, 2022 EST"

Search queries for all Debian-specific (and related) package types

Search by component:
deb_component:unstable

Search queries for all Maven-specific (and related) package types

Search by group ID:
maven_group_id:org.apache

Search queries for all Docker-specific (and related) package types

Search by image digest:
docker_image_digest:sha256:7c5..6d4
(full hashref only)

Search by layer digest:
docker_layer_digest:sha256:4c4..ae4
(full hashref only)

Search queries for all Generic-specific package types

Search by file path:
generic_filepath:path/to/file.txt

Search by directory:
generic_directory:path/to

Field type modifiers (depending on the type, you can influence behaviour)

For all queries, you can use:
~foo for negation

For string queries, you can use:
^foo to anchor to start of term
foo$ to anchor to end of term
foo*bar for fuzzy matching

For number/date or version queries, you can use:
>foo for values greater than
>=foo for values greater / equal
<foo for values less than
<=foo for values less / equal

Need a secure and centralised artifact repository to deliver Alpine, Cargo, CocoaPods, Composer, Conan, Conda, CRAN, Dart, Debian, Docker, Generic, Go, Helm, Hex, HuggingFace, LuaRocks, Maven, MCP, npm, NuGet, P2, Python, RedHat, Ruby, Swift, Terraform, Vagrant, VSX, Raw & More packages?

Cloudsmith is the new standard in Package / Artifact Management and Software Distribution.

With support for all major package formats, you can trust us to manage your software supply chain.

Start My Free Trial

Set Me Up

Public — demo-docs / awesome-repo

A certifiably-awesome public package repository curated by demo-docs, hosted by Cloudsmith.

Package Policy Violations

This package is in violation of the following policy.

Medium severity CVEs:

A security scan detected a vulnerability with a severity which is not permitted by this policy.

nginx 1.26.1

Download

One-liner (summary)

A certifiably-awesome package curated by , hosted by Cloudsmith.

Description

A certifiably-awesome package curated by , hosted by Cloudsmith.

License

Unknown

Size

64.5 MB

Downloads

Status	Quarantined
Checksum (MD5)	d23f312f5a559b6887aa312aa4c467fa
Checksum (SHA-1)	97c239988c43dc003d3a8d3cfe8de2fe021ae8e8
Checksum (SHA-256)	757cdfb779a9c6036b2374a0b2557bdccc286cbf21184dd76a92bade584666aa
Checksum (SHA-512)	c95e269ca00b16d1ffc797f419746b5c5bfab13ada0bc17cebba494f6bbc29084d…
GPG Signature	Download
GPG Fingerprint	6811684bac0b8895434e97bdd4391b8fb999e537
Storage Region	Dublin, Ireland
Type	Binary (contains binaries and binary artifacts)
Uploaded At	9 months, 4 weeks ago
Uploaded By
Slug Id	nginx-bckb
Unique Id	XnRiBkvRjFdT
Version (Raw)	1.26.1
Version (Parsed)	Major: 1 Minor: 26 Patch: 1 Type: SemVer (Strict)
Orig Version (Raw)	757cdfb779a9c6036b2374a0b2557bdccc286cbf21184dd76a92bade584666aa
Orig Version (Parsed)	Type: Unknown
	docker-specific metadata
Image Digest	sha256:757cdfb779a9c6036b2374a0b2557bdccc286cbf21184dd76a92bade584666aa
Config Digest	sha256:fc562bf83319d118c8ba64909cf6bb89d5691196f836c443ee82f9b981663e04
V1 OCI Index Digest	sha256:2f12a2e2fd6f38a88a8e48fe07f7e6ee7cac5af933cc4114f0204910e7e948bd
V1 Distribution (Signed) Digest	sha256:beab57439b6300d3b71b92ab83500caa2f88b41009cc05ed2435b422fc8dcb53
V1 OCI Digest	sha256:10253c324b58f43be643b0c7fe119e08b9f687808b633974f89e586a80fdc5f3
V2 Distribution List Digest	sha256:dc8dca1891dcf3cbebb1a6ca8859c44d2945a8c725f3318c1d870f0d325e902c
V1 Distribution Digest	sha256:21bd48bdb90621d927820f55490773c0497aae9bda106aafd22ed8038de99293
V2 Distribution Digest	sha256:757cdfb779a9c6036b2374a0b2557bdccc286cbf21184dd76a92bade584666aa
	extended metadata
Manifest Type	V2 Distribution
Architecture	arm64
Config	Args Escaped Cmd nginx -g daemon off; Entrypoint /docker-entrypoint.sh Env NGINX_VERSION=1.26.1 \| NJS_RELEASE=2~bookworm \| NJS_VERSION=0.8.4 \| PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \| PKG_RELEASE=2~bookworm Exposed Ports 80/tcp Labels 'maintainer' 'NGINX Docker Maintainers <docker-maint@nginx.com>' Stop Signal SIGQUIT
Created	2024-06-21 02:12:35 UTC
Os	linux

Newer	nginx 1.28.0	image arm64 linux stable SBOMcheck high_sev_less_than_… high-sev 66.7 MB — 9 months, 4 weeks ago	2
Newer	nginx 1.28.0-alpine	image arm64 linux stable-alpine 20.8 MB — 9 months, 4 weeks ago	3
Newer	nginx 1.27.5	image arm64 linux mainline SBOMcheck high_sev_less_than_… high-sev 66.7 MB — 9 months, 4 weeks ago	2
Newer	nginx 1.27.5-alpine	image arm64 linux mainline-alpine 20.8 MB — 9 months, 4 weeks ago	3
	nginx 1.26.1	image arm64 linux SBOMcheck high_sev_less_than_… high-sev 64.5 MB — 9 months, 4 weeks ago	2

Last scanned

9 months, 4 weeks ago

Scan result

Vulnerable

Vulnerability count

206

Max. severity

Critical

Target:	XnRiBkvRjFdT.sbom-cyclonedx.json (debian 12.6)
CRITICAL	CVE-2023-6879: aom: heap-buffer-overflow on frame size change Increasing the resolution of video frames, while performing a multi-threaded encode, can result in a heap overflow in av1_loop_restoration_dealloc(). Package Name: libaom3 Installed Version: 3.6.0-1 Fixed Version: References: access.redhat.com aomedia.googlesource.com crbug.com lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov www.cve.org
CRITICAL	CVE-2024-5171: libaom: Integer overflow in internal function img_alloc_helper Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers: * Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. * Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. * Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. Package Name: libaom3 Installed Version: 3.6.0-1 Fixed Version: 3.6.0-1+deb12u1 References: access.redhat.com issues.chromium.org lists.debian.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov ubuntu.com ubuntu.com www.cve.org
CRITICAL	CVE-2025-48174: In libavif before 1.3.0, makeRoom in stream.c has an integer overflow ... In libavif before 1.3.0, makeRoom in stream.c has an integer overflow and resultant buffer overflow in stream->offset+size. Package Name: libavif15 Installed Version: 0.11.1-1 Fixed Version: 0.11.1-1+deb12u1 References: github.com github.com github.com github.com
CRITICAL	CVE-2024-45491: libexpat: Integer Overflow or Wraparound An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Package Name: libexpat1 Installed Version: 2.5.0-1 Fixed Version: 2.5.0-1+deb12u1 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com linux.oracle.com linux.oracle.com nvd.nist.gov security.netapp.com ubuntu.com ubuntu.com ubuntu.com ubuntu.com www.cve.org
CRITICAL	CVE-2024-45492: libexpat: integer overflow An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Package Name: libexpat1 Installed Version: 2.5.0-1 Fixed Version: 2.5.0-1+deb12u1 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com linux.oracle.com linux.oracle.com nvd.nist.gov security.netapp.com ubuntu.com ubuntu.com www.cve.org
CRITICAL	CVE-2023-45853: zlib: integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6 MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API. Package Name: zlib1g Installed Version: 1:1.2.13.dfsg-1 Fixed Version: References: www.openwall.com www.openwall.com access.redhat.com chromium.googlesource.com chromium.googlesource.com github.com github.com github.com github.com github.com lists.debian.org nvd.nist.gov pypi.org security.gentoo.org security.netapp.com security.netapp.com ubuntu.com www.cve.org www.winimage.com
HIGH	CVE-2023-39616: AOMedia v3.0.0 to v3.5.0 was discovered to contain an invalid read mem ... AOMedia v3.0.0 to v3.5.0 was discovered to contain an invalid read memory access via the component assign_frame_buffer_p in av1/common/av1_common_int.h. Package Name: libaom3 Installed Version: 3.6.0-1 Fixed Version: References: bugs.chromium.org
HIGH	CVE-2025-4802: glibc: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo). Package Name: libc-bin Installed Version: 2.36-9+deb12u7 Fixed Version: References: www.openwall.com www.openwall.com access.redhat.com nvd.nist.gov sourceware.org sourceware.org sourceware.org ubuntu.com www.cve.org www.openwall.com www.openwall.com
HIGH	CVE-2025-4802: glibc: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo). Package Name: libc6 Installed Version: 2.36-9+deb12u7 Fixed Version: References: www.openwall.com www.openwall.com access.redhat.com nvd.nist.gov sourceware.org sourceware.org sourceware.org ubuntu.com www.cve.org www.openwall.com www.openwall.com
HIGH	CVE-2023-52425: expat: parsing large tokens can trigger a denial of service libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. Package Name: libexpat1 Installed Version: 2.5.0-1 Fixed Version: References: www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com linux.oracle.com linux.oracle.com lists.debian.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
HIGH	CVE-2024-45490: libexpat: Negative Length Parsing Vulnerability in libexpat An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. Package Name: libexpat1 Installed Version: 2.5.0-1 Fixed Version: 2.5.0-1+deb12u1 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com linux.oracle.com linux.oracle.com nvd.nist.gov security.netapp.com ubuntu.com ubuntu.com ubuntu.com ubuntu.com www.cve.org
HIGH	CVE-2024-8176: libexpat: expat: Improper Restriction of XML Entity Expansion Depth in libexpat A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage. Package Name: libexpat1 Installed Version: 2.5.0-1 Fixed Version: References: www.openwall.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com blog.hartwork.org bugzilla.redhat.com bugzilla.redhat.com bugzilla.suse.com errata.almalinux.org github.com github.com gitlab.alpinelinux.org linux.oracle.com linux.oracle.com nvd.nist.gov security-tracker.debian.org security.netapp.com ubuntu.com ubuntu.com www.cve.org www.kb.cert.org
HIGH	CVE-2025-27363: freetype: OOB write when attempting to parse font subglyph structures related to TrueType GX and variable font files An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild. Package Name: libfreetype6 Installed Version: 2.12.1+dfsg-5+deb12u3 Fixed Version: 2.12.1+dfsg-5+deb12u4 References: www.openwall.com www.openwall.com www.openwall.com www.openwall.com www.openwall.com www.openwall.com www.openwall.com www.openwall.com www.openwall.com www.openwall.com www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org linux.oracle.com linux.oracle.com lists.debian.org nvd.nist.gov source.android.com ubuntu.com ubuntu.com www.cisa.gov www.cve.org www.facebook.com
HIGH	CVE-2023-49462: libheif v1.17.5 was discovered to contain a segmentation violation via ... libheif v1.17.5 was discovered to contain a segmentation violation via the component /libheif/exif.cc. Package Name: libheif1 Installed Version: 1.15.1-1 Fixed Version: 1.15.1-1+deb12u1 References: github.com ubuntu.com www.cve.org
HIGH	CVE-2024-41311: In Libheif 1.17.6, insufficient checks in ImageOverlay::parse() decodi ... In Libheif 1.17.6, insufficient checks in ImageOverlay::parse() decoding a heif file containing an overlay image with forged offsets can lead to an out-of-bounds read and write. Package Name: libheif1 Installed Version: 1.15.1-1 Fixed Version: 1.15.1-1+deb12u1 References: gist.github.com github.com github.com github.com github.com lists.debian.org ubuntu.com www.cve.org
HIGH	CVE-2025-5222: icu: Stack buffer overflow in the SRBRoot::addTag function A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution. Package Name: libicu72 Installed Version: 72.1-3 Fixed Version: References: access.redhat.com bugzilla.redhat.com nvd.nist.gov www.cve.org
HIGH	CVE-2023-2953: openldap: null pointer dereference in ber_memalloc_x function A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function. Package Name: libldap-2.5-0 Installed Version: 2.5.13+dfsg-5 Fixed Version: References: seclists.org seclists.org seclists.org access.redhat.com access.redhat.com bugs.openldap.org bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org linux.oracle.com linux.oracle.com nvd.nist.gov security.netapp.com support.apple.com support.apple.com support.apple.com ubuntu.com ubuntu.com www.cve.org
HIGH	CVE-2025-31115: xz: XZ has a heap-use-after-free bug in threaded .xz decoder XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases. Package Name: liblzma5 Installed Version: 5.4.1-0.2 Fixed Version: 5.4.1-1 References: www.openwall.com www.openwall.com www.openwall.com access.redhat.com github.com github.com nvd.nist.gov tukaani.org ubuntu.com www.cve.org
HIGH	CVE-2024-6119: openssl: Possible denial of service in X.509 name checks Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Package Name: libssl3 Installed Version: 3.0.13-1~deb12u1 Fixed Version: 3.0.14-1~deb12u2 References: www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com github.com github.com linux.oracle.com linux.oracle.com lists.freebsd.org nvd.nist.gov openssl-library.org security.netapp.com ubuntu.com www.cve.org
HIGH	CVE-2023-52355: libtiff: TIFFRasterScanlineSize64 produce too-big size and could cause OOM An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB. Package Name: libtiff6 Installed Version: 4.5.0-6+deb12u1 Fixed Version: References: access.redhat.com bugzilla.redhat.com gitlab.com nvd.nist.gov www.cve.org
HIGH	CVE-2023-52356: libtiff: Segment fault in libtiff in TIFFReadRGBATileExt() leading to denial of service A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service. Package Name: libtiff6 Installed Version: 4.5.0-6+deb12u1 Fixed Version: 4.5.0-6+deb12u2 References: seclists.org seclists.org seclists.org seclists.org seclists.org seclists.org seclists.org seclists.org access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org gitlab.com gitlab.com linux.oracle.com linux.oracle.com lists.debian.org nvd.nist.gov support.apple.com support.apple.com support.apple.com support.apple.com support.apple.com support.apple.com support.apple.com support.apple.com ubuntu.com ubuntu.com www.cve.org
HIGH	CVE-2024-7006: libtiff: NULL pointer dereference in tif_dirinfo.c A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service. Package Name: libtiff6 Installed Version: 4.5.0-6+deb12u1 Fixed Version: 4.5.0-6+deb12u2 References: access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org gitlab.com linux.oracle.com linux.oracle.com nvd.nist.gov security.netapp.com ubuntu.com ubuntu.com www.cve.org
HIGH	CVE-2024-25062: libxml2: use-after-free in XMLReader An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. Package Name: libxml2 Installed Version: 2.9.14+dfsg-1.3~deb12u1 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org gitlab.gnome.org gitlab.gnome.org linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com ubuntu.com www.cve.org
HIGH	CVE-2024-56171: libxml2: Use-After-Free in libxml2 libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. Package Name: libxml2 Installed Version: 2.9.14+dfsg-1.3~deb12u1 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org gitlab.gnome.org linux.oracle.com linux.oracle.com nvd.nist.gov security.netapp.com ubuntu.com www.cve.org www.openwall.com
HIGH	CVE-2025-24928: libxml2: Stack-based buffer overflow in xmlSnprintfElements of libxml2 libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047. Package Name: libxml2 Installed Version: 2.9.14+dfsg-1.3~deb12u1 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org gitlab.gnome.org issues.oss-fuzz.com linux.oracle.com linux.oracle.com nvd.nist.gov security.netapp.com ubuntu.com www.cve.org www.openwall.com
HIGH	CVE-2025-27113: libxml2: NULL Pointer Dereference in libxml2 xmlPatMatch libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c. Package Name: libxml2 Installed Version: 2.9.14+dfsg-1.3~deb12u1 Fixed Version: References: access.redhat.com gitlab.gnome.org nvd.nist.gov security.netapp.com ubuntu.com www.cve.org www.openwall.com
HIGH	CVE-2025-32414: libxml2: Out-of-Bounds Read in libxml2 In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters. Package Name: libxml2 Installed Version: 2.9.14+dfsg-1.3~deb12u1 Fixed Version: References: access.redhat.com gitlab.gnome.org nvd.nist.gov ubuntu.com ubuntu.com www.cve.org
HIGH	CVE-2025-32415: libxml2: Out-of-bounds Read in xmlSchemaIDCFillNodeTables In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. Package Name: libxml2 Installed Version: 2.9.14+dfsg-1.3~deb12u1 Fixed Version: References: access.redhat.com gitlab.gnome.org nvd.nist.gov ubuntu.com ubuntu.com www.cve.org
HIGH	CVE-2024-55549: libxslt: Use-After-Free in libxslt (xsltGetInheritedNsList) xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes. Package Name: libxslt1.1 Installed Version: 1.1.35-1 Fixed Version: 1.1.35-1+deb12u1 References: access.redhat.com access.redhat.com bugzilla.redhat.com errata.almalinux.org gitlab.gnome.org linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com www.cve.org
HIGH	CVE-2025-24855: libxslt: Use-After-Free in libxslt numbers.c numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal. Package Name: libxslt1.1 Installed Version: 1.1.35-1 Fixed Version: 1.1.35-1+deb12u1 References: access.redhat.com access.redhat.com bugzilla.redhat.com errata.almalinux.org gitlab.gnome.org linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com www.cve.org
HIGH	CVE-2024-6119: openssl: Possible denial of service in X.509 name checks Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Package Name: openssl Installed Version: 3.0.13-1~deb12u1 Fixed Version: 3.0.14-1~deb12u2 References: www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com github.com github.com linux.oracle.com linux.oracle.com lists.freebsd.org nvd.nist.gov openssl-library.org security.netapp.com ubuntu.com www.cve.org
HIGH	CVE-2023-31484: perl: CPAN.pm does not verify TLS certificates when downloading distributions over HTTPS CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. Package Name: perl-base Installed Version: 5.36.0-7+deb12u1 Fixed Version: References: www.openwall.com www.openwall.com www.openwall.com www.openwall.com access.redhat.com access.redhat.com blog.hackeriet.no bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com linux.oracle.com linux.oracle.com lists.fedoraproject.org lists.fedoraproject.org metacpan.org nvd.nist.gov security.netapp.com ubuntu.com ubuntu.com www.cve.org www.openwall.com
HIGH	CVE-2024-56406: perl: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`. $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses. Package Name: perl-base Installed Version: 5.36.0-7+deb12u1 Fixed Version: 5.36.0-7+deb12u2 References: www.openwall.com www.openwall.com www.openwall.com access.redhat.com github.com metacpan.org metacpan.org nvd.nist.gov ubuntu.com ubuntu.com www.cve.org
MEDIUM	CVE-2024-11053: curl: curl netrc password leak When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password. Package Name: curl Installed Version: 7.88.1-10+deb12u6 Fixed Version: 7.88.1-10+deb12u10 References: www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com curl.se curl.se errata.almalinux.org hackerone.com linux.oracle.com linux.oracle.com nvd.nist.gov security.netapp.com security.netapp.com ubuntu.com www.cve.org www.oracle.com
MEDIUM	CVE-2024-7264: curl: libcurl: ASN.1 date parser overread libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the time fraction, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used. Package Name: curl Installed Version: 7.88.1-10+deb12u6 Fixed Version: 7.88.1-10+deb12u7 References: www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com curl.se curl.se errata.almalinux.org github.com hackerone.com linux.oracle.com linux.oracle.com nvd.nist.gov security.netapp.com ubuntu.com ubuntu.com www.cve.org www.oracle.com
MEDIUM	CVE-2024-8096: curl: OCSP stapling bypass with GnuTLS When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate. Package Name: curl Installed Version: 7.88.1-10+deb12u6 Fixed Version: 7.88.1-10+deb12u8 References: www.openwall.com access.redhat.com curl.se curl.se hackerone.com lists.debian.org nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
MEDIUM	CVE-2024-9681: curl: HSTS subdomain overwrites parent cache entry When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout bleed over and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry earlier, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended. Package Name: curl Installed Version: 7.88.1-10+deb12u6 Fixed Version: 7.88.1-10+deb12u9 References: www.openwall.com access.redhat.com curl.se curl.se hackerone.com nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
MEDIUM	CVE-2025-0838: abseil-cpp: Heap Buffer overflow in Abseil There exists a heap buffer overflow vulnerable in Abseil-cpp. The sized constructors, reserve(), and rehash() methods of absl::{flat,node}hash{set,map} did not impose an upper bound on their size argument. As a result, it was possible for a caller to pass a very large size that would cause an integer overflow when computing the size of the container's backing store, and a subsequent out-of-bounds memory write. Subsequent accesses to the container might also access out-of-bounds memory. We recommend upgrading past commit 5a0e2cb5e3958dd90bb8569a2766622cb74d90c1 Package Name: libabsl20220623 Installed Version: 20220623.1-1 Fixed Version: 20220623.1-1+deb12u1 References: access.redhat.com github.com github.com lists.debian.org nvd.nist.gov ubuntu.com www.cve.org
MEDIUM	CVE-2025-0395: glibc: buffer overflow in the GNU C Library's assert() When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. Package Name: libc-bin Installed Version: 2.36-9+deb12u7 Fixed Version: 2.36-9+deb12u10 References: www.openwall.com www.openwall.com www.openwall.com www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com errata.almalinux.org linux.oracle.com linux.oracle.com lists.debian.org nvd.nist.gov security.netapp.com sourceware.org sourceware.org sourceware.org ubuntu.com ubuntu.com ubuntu.com www.cve.org www.openwall.com
MEDIUM	CVE-2025-0395: glibc: buffer overflow in the GNU C Library's assert() When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. Package Name: libc6 Installed Version: 2.36-9+deb12u7 Fixed Version: 2.36-9+deb12u10 References: www.openwall.com www.openwall.com www.openwall.com www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com errata.almalinux.org linux.oracle.com linux.oracle.com lists.debian.org nvd.nist.gov security.netapp.com sourceware.org sourceware.org sourceware.org ubuntu.com ubuntu.com ubuntu.com www.cve.org www.openwall.com
MEDIUM	CVE-2025-1390: libcap: pam_cap: Fix potential configuration parsing error The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames. Package Name: libcap2 Installed Version: 1:2.66-4 Fixed Version: 1:2.66-4+deb12u1 References: access.redhat.com bugzilla.openanolis.cn nvd.nist.gov ubuntu.com www.cve.org
MEDIUM	CVE-2024-11053: curl: curl netrc password leak When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password. Package Name: libcurl4 Installed Version: 7.88.1-10+deb12u6 Fixed Version: 7.88.1-10+deb12u10 References: www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com curl.se curl.se errata.almalinux.org hackerone.com linux.oracle.com linux.oracle.com nvd.nist.gov security.netapp.com security.netapp.com ubuntu.com www.cve.org www.oracle.com
MEDIUM	CVE-2024-7264: curl: libcurl: ASN.1 date parser overread libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the time fraction, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used. Package Name: libcurl4 Installed Version: 7.88.1-10+deb12u6 Fixed Version: 7.88.1-10+deb12u7 References: www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com curl.se curl.se errata.almalinux.org github.com hackerone.com linux.oracle.com linux.oracle.com nvd.nist.gov security.netapp.com ubuntu.com ubuntu.com www.cve.org www.oracle.com
MEDIUM	CVE-2024-8096: curl: OCSP stapling bypass with GnuTLS When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate. Package Name: libcurl4 Installed Version: 7.88.1-10+deb12u6 Fixed Version: 7.88.1-10+deb12u8 References: www.openwall.com access.redhat.com curl.se curl.se hackerone.com lists.debian.org nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
MEDIUM	CVE-2024-9681: curl: HSTS subdomain overwrites parent cache entry When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout bleed over and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry earlier, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended. Package Name: libcurl4 Installed Version: 7.88.1-10+deb12u6 Fixed Version: 7.88.1-10+deb12u9 References: www.openwall.com access.redhat.com curl.se curl.se hackerone.com nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
MEDIUM	CVE-2023-32570: VideoLAN dav1d before 1.2.0 has a thread_task.c race condition that ca ... VideoLAN dav1d before 1.2.0 has a thread_task.c race condition that can lead to an application crash, related to dav1d_decode_frame_exit. Package Name: libdav1d6 Installed Version: 1.0.0-2+deb12u1 Fixed Version: References: code.videolan.org code.videolan.org lists.fedoraproject.org lists.fedoraproject.org security.gentoo.org
MEDIUM	CVE-2023-51792: Buffer Overflow vulnerability in libde265 v1.0.12 allows a local attac ... Buffer Overflow vulnerability in libde265 v1.0.12 allows a local attacker to cause a denial of service via the allocation size exceeding the maximum supported size of 0x10000000000. Package Name: libde265-0 Installed Version: 1.0.11-1+deb12u2 Fixed Version: References: github.com github.com lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org ubuntu.com www.cve.org
MEDIUM	CVE-2024-38949: Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attacker ... Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to display444as420 function at sdl.cc Package Name: libde265-0 Installed Version: 1.0.11-1+deb12u2 Fixed Version: References: github.com github.com www.cve.org
MEDIUM	CVE-2024-38950: Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attacker ... Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to __interceptor_memcpy function. Package Name: libde265-0 Installed Version: 1.0.11-1+deb12u2 Fixed Version: References: github.com github.com www.cve.org
MEDIUM	CVE-2024-50602: libexpat: expat: DoS via XML_ResumeParser An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser. Package Name: libexpat1 Installed Version: 2.5.0-1 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com linux.oracle.com linux.oracle.com lists.debian.org nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
MEDIUM	CVE-2024-12243: gnutls: GnuTLS Impacted by Inefficient DER Decoding in libtasn1 Leading to Remote DoS A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition. Package Name: libgnutls30 Installed Version: 3.7.9-2+deb12u3 Fixed Version: 3.7.9-2+deb12u4 References: access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org gitlab.com linux.oracle.com linux.oracle.com lists.debian.org lists.gnupg.org nvd.nist.gov security.netapp.com ubuntu.com www.cve.org www.gnutls.org
MEDIUM	CVE-2024-26462: krb5: Memory leak at /krb5/src/kdc/ndr.c Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c. Package Name: libgssapi-krb5-2 Installed Version: 1.20.1-2+deb12u2 Fixed Version: 1.20.1-2+deb12u3 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org github.com linux.oracle.com linux.oracle.com mailman.mit.edu nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
MEDIUM	CVE-2025-24528: krb5: overflow when calculating ulog block size A flaw was found in krb5. With incremental propagation enabled, an authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file. This issue can trigger a process crash and lead to a denial of service. Package Name: libgssapi-krb5-2 Installed Version: 1.20.1-2+deb12u2 Fixed Version: 1.20.1-2+deb12u3 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com www.cve.org
MEDIUM	CVE-2025-3576: krb5: Kerberos RC4-HMAC-MD5 Checksum Vulnerability Enabling Message Spoofing via MD5 Collisions A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering. Package Name: libgssapi-krb5-2 Installed Version: 1.20.1-2+deb12u2 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org linux.oracle.com linux.oracle.com lists.debian.org nvd.nist.gov ubuntu.com www.cve.org
MEDIUM	CVE-2023-29659: A Segmentation fault caused by a floating point exception exists in li ... A Segmentation fault caused by a floating point exception exists in libheif 1.15.1 using crafted heif images via the heif::Fraction::round() function in box.cc, which causes a denial of service. Package Name: libheif1 Installed Version: 1.15.1-1 Fixed Version: 1.15.1-1+deb12u1 References: None github.com github.com lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov ubuntu.com www.cve.org
MEDIUM	CVE-2024-26462: krb5: Memory leak at /krb5/src/kdc/ndr.c Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c. Package Name: libk5crypto3 Installed Version: 1.20.1-2+deb12u2 Fixed Version: 1.20.1-2+deb12u3 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org github.com linux.oracle.com linux.oracle.com mailman.mit.edu nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
MEDIUM	CVE-2025-24528: krb5: overflow when calculating ulog block size A flaw was found in krb5. With incremental propagation enabled, an authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file. This issue can trigger a process crash and lead to a denial of service. Package Name: libk5crypto3 Installed Version: 1.20.1-2+deb12u2 Fixed Version: 1.20.1-2+deb12u3 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com www.cve.org
MEDIUM	CVE-2025-3576: krb5: Kerberos RC4-HMAC-MD5 Checksum Vulnerability Enabling Message Spoofing via MD5 Collisions A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering. Package Name: libk5crypto3 Installed Version: 1.20.1-2+deb12u2 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org linux.oracle.com linux.oracle.com lists.debian.org nvd.nist.gov ubuntu.com www.cve.org
MEDIUM	CVE-2024-26462: krb5: Memory leak at /krb5/src/kdc/ndr.c Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c. Package Name: libkrb5-3 Installed Version: 1.20.1-2+deb12u2 Fixed Version: 1.20.1-2+deb12u3 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org github.com linux.oracle.com linux.oracle.com mailman.mit.edu nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
MEDIUM	CVE-2025-24528: krb5: overflow when calculating ulog block size A flaw was found in krb5. With incremental propagation enabled, an authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file. This issue can trigger a process crash and lead to a denial of service. Package Name: libkrb5-3 Installed Version: 1.20.1-2+deb12u2 Fixed Version: 1.20.1-2+deb12u3 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com www.cve.org
MEDIUM	CVE-2025-3576: krb5: Kerberos RC4-HMAC-MD5 Checksum Vulnerability Enabling Message Spoofing via MD5 Collisions A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering. Package Name: libkrb5-3 Installed Version: 1.20.1-2+deb12u2 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org linux.oracle.com linux.oracle.com lists.debian.org nvd.nist.gov ubuntu.com www.cve.org
MEDIUM	CVE-2024-26462: krb5: Memory leak at /krb5/src/kdc/ndr.c Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c. Package Name: libkrb5support0 Installed Version: 1.20.1-2+deb12u2 Fixed Version: 1.20.1-2+deb12u3 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org github.com linux.oracle.com linux.oracle.com mailman.mit.edu nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
MEDIUM	CVE-2025-24528: krb5: overflow when calculating ulog block size A flaw was found in krb5. With incremental propagation enabled, an authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file. This issue can trigger a process crash and lead to a denial of service. Package Name: libkrb5support0 Installed Version: 1.20.1-2+deb12u2 Fixed Version: 1.20.1-2+deb12u3 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com www.cve.org
MEDIUM	CVE-2025-3576: krb5: Kerberos RC4-HMAC-MD5 Checksum Vulnerability Enabling Message Spoofing via MD5 Collisions A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering. Package Name: libkrb5support0 Installed Version: 1.20.1-2+deb12u2 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org linux.oracle.com linux.oracle.com lists.debian.org nvd.nist.gov ubuntu.com www.cve.org
MEDIUM	CVE-2024-28182: nghttp2: CONTINUATION frames DoS nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability. Package Name: libnghttp2-14 Installed Version: 1.52.0-1+deb12u1 Fixed Version: 1.52.0-1+deb12u2 References: www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com linux.oracle.com linux.oracle.com lists.debian.org lists.debian.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nowotarski.info nvd.nist.gov ubuntu.com ubuntu.com www.cve.org www.kb.cert.org
MEDIUM	CVE-2024-10041: pam: libpam: Libpam vulnerable to read hashed password A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications. Package Name: libpam-modules Installed Version: 1.5.2-6+deb12u1 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org linux.oracle.com linux.oracle.com nvd.nist.gov www.cve.org
MEDIUM	CVE-2024-22365: pam: allowing unprivileged user to block another user namespace linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY. Package Name: libpam-modules Installed Version: 1.5.2-6+deb12u1 Fixed Version: References: www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com ubuntu.com www.cve.org www.openwall.com
MEDIUM	CVE-2024-10041: pam: libpam: Libpam vulnerable to read hashed password A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications. Package Name: libpam-modules-bin Installed Version: 1.5.2-6+deb12u1 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org linux.oracle.com linux.oracle.com nvd.nist.gov www.cve.org
MEDIUM	CVE-2024-22365: pam: allowing unprivileged user to block another user namespace linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY. Package Name: libpam-modules-bin Installed Version: 1.5.2-6+deb12u1 Fixed Version: References: www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com ubuntu.com www.cve.org www.openwall.com
MEDIUM	CVE-2024-10041: pam: libpam: Libpam vulnerable to read hashed password A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications. Package Name: libpam-runtime Installed Version: 1.5.2-6+deb12u1 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org linux.oracle.com linux.oracle.com nvd.nist.gov www.cve.org
MEDIUM	CVE-2024-22365: pam: allowing unprivileged user to block another user namespace linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY. Package Name: libpam-runtime Installed Version: 1.5.2-6+deb12u1 Fixed Version: References: www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com ubuntu.com www.cve.org www.openwall.com
MEDIUM	CVE-2024-10041: pam: libpam: Libpam vulnerable to read hashed password A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications. Package Name: libpam0g Installed Version: 1.5.2-6+deb12u1 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org linux.oracle.com linux.oracle.com nvd.nist.gov www.cve.org
MEDIUM	CVE-2024-22365: pam: allowing unprivileged user to block another user namespace linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY. Package Name: libpam0g Installed Version: 1.5.2-6+deb12u1 Fixed Version: References: www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com ubuntu.com www.cve.org www.openwall.com
MEDIUM	CVE-2024-13176: openssl: Timing side-channel in ECDSA signature computation Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation. Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency. There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This can happen with significant probability only for some of the supported elliptic curves. In particular the NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located in the same physical computer or must have a very fast network connection with low latency. For that reason the severity of this vulnerability is Low. The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue. Package Name: libssl3 Installed Version: 3.0.13-1~deb12u1 Fixed Version: 3.0.16-1~deb12u1 References: www.openwall.com access.redhat.com github.com github.com github.com github.com github.com github.openssl.org github.openssl.org lists.debian.org nvd.nist.gov openssl-library.org security.netapp.com security.netapp.com ubuntu.com ubuntu.com www.cve.org www.oracle.com
MEDIUM	CVE-2024-4603: openssl: Excessive time spent checking DSA keys and parameters Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform various checks on DSA parameters. Some of those computations take a long time if the modulus (`p` parameter) is too large. Trying to use a very large modulus is slow and OpenSSL will not allow using public keys with a modulus which is over 10,000 bits in length for signature verification. However the key and parameter check functions do not limit the modulus size when performing the checks. An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. These functions are not called by OpenSSL itself on untrusted DSA keys so only applications that directly call these functions may be vulnerable. Also vulnerable are the OpenSSL pkey and pkeyparam command line applications when using the `-check` option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue. Package Name: libssl3 Installed Version: 3.0.13-1~deb12u1 Fixed Version: 3.0.14-1~deb12u1 References: www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org github.com github.com github.com github.com linux.oracle.com linux.oracle.com nvd.nist.gov security.netapp.com ubuntu.com www.cve.org www.openssl.org
MEDIUM	CVE-2024-4741: openssl: Use After Free with SSL_free_buffers Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, only applications that directly call the SSL_free_buffers function are affected by this issue. Applications that do not call this function are not vulnerable. Our investigations indicate that this function is rarely used by applications. The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use. The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use. The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use. While these scenarios could occur accidentally during normal operation a malicious attacker could attempt to engineer a stituation where this occurs. We are not aware of this issue being actively exploited. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Package Name: libssl3 Installed Version: 3.0.13-1~deb12u1 Fixed Version: 3.0.14-1~deb12u1 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org github.com github.com github.com github.com github.openssl.org linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com www.cve.org www.openssl.org
MEDIUM	CVE-2024-5535: openssl: SSL_select_next_proto buffer overread Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. Package Name: libssl3 Installed Version: 3.0.13-1~deb12u1 Fixed Version: 3.0.15-1~deb12u1 References: www.openwall.com www.openwall.com www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com github.com github.openssl.org github.openssl.org linux.oracle.com linux.oracle.com nvd.nist.gov openssl.org security.netapp.com ubuntu.com www.cve.org www.openssl.org www.oracle.com
MEDIUM	CVE-2025-4598: systemd-coredump: race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality. Package Name: libsystemd0 Installed Version: 252.26-1~deb12u2 Fixed Version: 252.38-1~deb12u1 References: www.openwall.com www.openwall.com access.redhat.com bugzilla.redhat.com git.kernel.org github.com github.com github.com github.com github.com github.com github.com github.com linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com www.cve.org www.openwall.com www.qualys.com
MEDIUM	CVE-2024-12133: libtasn1: Inefficient DER Decoding in libtasn1 Leading to Potential Remote DoS A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack. Package Name: libtasn1-6 Installed Version: 4.19.0-2 Fixed Version: 4.19.0-2+deb12u1 References: www.openwall.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com gitlab.com gitlab.com linux.oracle.com linux.oracle.com lists.debian.org nvd.nist.gov security.netapp.com ubuntu.com ubuntu.com www.cve.org
MEDIUM	CVE-2023-25433: libtiff: Buffer Overflow via /libtiff/tools/tiffcrop.c libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV. Package Name: libtiff6 Installed Version: 4.5.0-6+deb12u1 Fixed Version: 4.5.0-6+deb12u2 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org gitlab.com gitlab.com linux.oracle.com linux.oracle.com lists.debian.org nvd.nist.gov ubuntu.com ubuntu.com www.cve.org
MEDIUM	CVE-2023-26965: libtiff: heap-based use after free via a crafted TIFF image in loadImage() in tiffcrop.c loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image. Package Name: libtiff6 Installed Version: 4.5.0-6+deb12u1 Fixed Version: 4.5.0-6+deb12u2 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org gitlab.com linux.oracle.com linux.oracle.com lists.debian.org nvd.nist.gov security.netapp.com ubuntu.com ubuntu.com www.cve.org
MEDIUM	CVE-2023-26966: libtiff: Buffer Overflow in uv_encode() libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian. Package Name: libtiff6 Installed Version: 4.5.0-6+deb12u1 Fixed Version: 4.5.0-6+deb12u2 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org gitlab.com gitlab.com gitlab.com linux.oracle.com linux.oracle.com lists.debian.org nvd.nist.gov ubuntu.com ubuntu.com www.cve.org
MEDIUM	CVE-2023-2908: libtiff: null pointer dereference in tif_dir.c A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service. Package Name: libtiff6 Installed Version: 4.5.0-6+deb12u1 Fixed Version: 4.5.0-6+deb12u2 References: access.redhat.com bugzilla.redhat.com gitlab.com gitlab.com lists.debian.org nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
MEDIUM	CVE-2023-3618: libtiff: segmentation fault in Fax3Encode in libtiff/tif_fax3.c A flaw was found in libtiff. A specially crafted tiff file can lead to a segmentation fault due to a buffer overflow in the Fax3Encode function in libtiff/tif_fax3.c, resulting in a denial of service. Package Name: libtiff6 Installed Version: 4.5.0-6+deb12u1 Fixed Version: 4.5.0-6+deb12u2 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org gitlab.com gitlab.com linux.oracle.com linux.oracle.com lists.debian.org nvd.nist.gov security.netapp.com support.apple.com support.apple.com support.apple.com ubuntu.com www.cve.org
MEDIUM	CVE-2023-6277: libtiff: Out-of-memory in TIFFOpen via a craft file An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB. Package Name: libtiff6 Installed Version: 4.5.0-6+deb12u1 Fixed Version: References: seclists.org seclists.org seclists.org seclists.org seclists.org seclists.org seclists.org seclists.org access.redhat.com bugzilla.redhat.com gitlab.com gitlab.com lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.netapp.com support.apple.com support.apple.com support.apple.com support.apple.com support.apple.com support.apple.com support.apple.com support.apple.com ubuntu.com ubuntu.com www.cve.org
MEDIUM	CVE-2023-50495: ncurses: segmentation fault via _nc_wrap_entry() NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry(). Package Name: libtinfo6 Installed Version: 6.4-4 Fixed Version: References: access.redhat.com lists.fedoraproject.org lists.gnu.org lists.gnu.org nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
MEDIUM	CVE-2025-4598: systemd-coredump: race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality. Package Name: libudev1 Installed Version: 252.26-1~deb12u2 Fixed Version: 252.38-1~deb12u1 References: www.openwall.com www.openwall.com access.redhat.com bugzilla.redhat.com git.kernel.org github.com github.com github.com github.com github.com github.com github.com github.com linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com www.cve.org www.openwall.com www.qualys.com
MEDIUM	CVE-2022-49043: libxml: use-after-free in xmlXIncludeAddNode xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free. Package Name: libxml2 Installed Version: 2.9.14+dfsg-1.3~deb12u1 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com gitlab.gnome.org linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com ubuntu.com www.cve.org
MEDIUM	CVE-2023-39615: libxml2: crafted xml can cause global buffer overflow Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input. Package Name: libxml2 Installed Version: 2.9.14+dfsg-1.3~deb12u1 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org gitlab.gnome.org linux.oracle.com linux.oracle.com nvd.nist.gov www.cve.org
MEDIUM	CVE-2023-45322: libxml2: use-after-free in xmlUnlinkNode() in tree.c libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail." Package Name: libxml2 Installed Version: 2.9.14+dfsg-1.3~deb12u1 Fixed Version: References: www.openwall.com access.redhat.com gitlab.gnome.org gitlab.gnome.org nvd.nist.gov www.cve.org
MEDIUM	CVE-2023-4641: shadow-utils: possible password leak during passwd(1) change A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory. Package Name: login Installed Version: 1:4.13+dfsg1-1+b1 Fixed Version: 1:4.13+dfsg1-1+deb12u1 References: access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com www.cve.org
MEDIUM	CVE-2023-50495: ncurses: segmentation fault via _nc_wrap_entry() NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry(). Package Name: ncurses-base Installed Version: 6.4-4 Fixed Version: References: access.redhat.com lists.fedoraproject.org lists.gnu.org lists.gnu.org nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
MEDIUM	CVE-2023-50495: ncurses: segmentation fault via _nc_wrap_entry() NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry(). Package Name: ncurses-bin Installed Version: 6.4-4 Fixed Version: References: access.redhat.com lists.fedoraproject.org lists.gnu.org lists.gnu.org nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
MEDIUM	CVE-2024-13176: openssl: Timing side-channel in ECDSA signature computation Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation. Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency. There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This can happen with significant probability only for some of the supported elliptic curves. In particular the NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located in the same physical computer or must have a very fast network connection with low latency. For that reason the severity of this vulnerability is Low. The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue. Package Name: openssl Installed Version: 3.0.13-1~deb12u1 Fixed Version: 3.0.16-1~deb12u1 References: www.openwall.com access.redhat.com github.com github.com github.com github.com github.com github.openssl.org github.openssl.org lists.debian.org nvd.nist.gov openssl-library.org security.netapp.com security.netapp.com ubuntu.com ubuntu.com www.cve.org www.oracle.com
MEDIUM	CVE-2024-4603: openssl: Excessive time spent checking DSA keys and parameters Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform various checks on DSA parameters. Some of those computations take a long time if the modulus (`p` parameter) is too large. Trying to use a very large modulus is slow and OpenSSL will not allow using public keys with a modulus which is over 10,000 bits in length for signature verification. However the key and parameter check functions do not limit the modulus size when performing the checks. An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. These functions are not called by OpenSSL itself on untrusted DSA keys so only applications that directly call these functions may be vulnerable. Also vulnerable are the OpenSSL pkey and pkeyparam command line applications when using the `-check` option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue. Package Name: openssl Installed Version: 3.0.13-1~deb12u1 Fixed Version: 3.0.14-1~deb12u1 References: www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org github.com github.com github.com github.com linux.oracle.com linux.oracle.com nvd.nist.gov security.netapp.com ubuntu.com www.cve.org www.openssl.org
MEDIUM	CVE-2024-4741: openssl: Use After Free with SSL_free_buffers Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, only applications that directly call the SSL_free_buffers function are affected by this issue. Applications that do not call this function are not vulnerable. Our investigations indicate that this function is rarely used by applications. The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use. The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use. The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use. While these scenarios could occur accidentally during normal operation a malicious attacker could attempt to engineer a stituation where this occurs. We are not aware of this issue being actively exploited. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Package Name: openssl Installed Version: 3.0.13-1~deb12u1 Fixed Version: 3.0.14-1~deb12u1 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org github.com github.com github.com github.com github.openssl.org linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com www.cve.org www.openssl.org
MEDIUM	CVE-2024-5535: openssl: SSL_select_next_proto buffer overread Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. Package Name: openssl Installed Version: 3.0.13-1~deb12u1 Fixed Version: 3.0.15-1~deb12u1 References: www.openwall.com www.openwall.com www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com github.com github.openssl.org github.openssl.org linux.oracle.com linux.oracle.com nvd.nist.gov openssl.org security.netapp.com ubuntu.com www.cve.org www.openssl.org www.oracle.com
MEDIUM	CVE-2023-4641: shadow-utils: possible password leak during passwd(1) change A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory. Package Name: passwd Installed Version: 1:4.13+dfsg1-1+b1 Fixed Version: 1:4.13+dfsg1-1+deb12u1 References: access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com www.cve.org
MEDIUM	CVE-2025-40909: perl: Perl threads have a working directory race condition where file operations may target unintended paths Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6 Package Name: perl-base Installed Version: 5.36.0-7+deb12u1 Fixed Version: References: www.openwall.com www.openwall.com www.openwall.com www.openwall.com www.openwall.com www.openwall.com www.openwall.com access.redhat.com bugs.debian.org github.com github.com github.com github.com nvd.nist.gov perldoc.perl.org www.cve.org www.openwall.com
LOW	CVE-2011-3374: It was found that apt-key in apt, all versions, do not correctly valid ... It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. Package Name: apt Installed Version: 2.6.1 Fixed Version: References: access.redhat.com bugs.debian.org people.canonical.com seclists.org security-tracker.debian.org snyk.io ubuntu.com
LOW	TEMP-0841856-B18BAF: [Privilege escalation possible to other user than root] Package Name: bash Installed Version: 5.2.15-2+b7 Fixed Version: References:
LOW	CVE-2022-0563: util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. Package Name: bsdutils Installed Version: 1:2.38.1-5+deb12u1 Fixed Version: References: access.redhat.com blog.trailofbits.com lore.kernel.org lore.kernel.org nvd.nist.gov security.gentoo.org security.netapp.com www.cve.org
LOW	CVE-2016-2781: coreutils: Non-privileged session can escape to the parent session in chroot chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. Package Name: coreutils Installed Version: 9.1-1 Fixed Version: References: seclists.org www.openwall.com www.openwall.com access.redhat.com lists.apache.org lore.kernel.org mirrors.edge.kernel.org nvd.nist.gov www.cve.org
LOW	CVE-2017-18018: coreutils: race condition vulnerability in chown and chgrp In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. Package Name: coreutils Installed Version: 9.1-1 Fixed Version: References: lists.gnu.org access.redhat.com nvd.nist.gov www.cve.org
LOW	CVE-2025-5278: coreutils: Heap Buffer Under-Read in GNU Coreutils sort via Key Specification A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data. Package Name: coreutils Installed Version: 9.1-1 Fixed Version: References: www.openwall.com www.openwall.com www.openwall.com access.redhat.com bugzilla.redhat.com cgit.git.savannah.gnu.org cgit.git.savannah.gnu.org nvd.nist.gov security-tracker.debian.org www.cve.org
LOW	CVE-2024-2379: curl: QUIC certificate check bypass with wolfSSL libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems. Package Name: curl Installed Version: 7.88.1-10+deb12u6 Fixed Version: References: seclists.org seclists.org seclists.org www.openwall.com access.redhat.com curl.se curl.se hackerone.com nvd.nist.gov security.netapp.com support.apple.com support.apple.com support.apple.com www.cve.org
LOW	CVE-2025-0167: When asked to use a `.netrc` file for credentials and to follow HT ... When asked to use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance. Package Name: curl Installed Version: 7.88.1-10+deb12u6 Fixed Version: 7.88.1-10+deb12u11 References: curl.se curl.se hackerone.com nvd.nist.gov security.netapp.com www.cve.org
LOW	CVE-2025-0725: libcurl: Buffer Overflow in libcurl via zlib Integer Overflow When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. Package Name: curl Installed Version: 7.88.1-10+deb12u6 Fixed Version: References: www.openwall.com www.openwall.com www.openwall.com access.redhat.com curl.se curl.se hackerone.com nvd.nist.gov security.netapp.com www.cve.org
LOW	CVE-2022-27943: binutils: libiberty/rust-demangle.c in GNU GCC 11.2 allows stack exhaustion in demangle_const libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new. Package Name: gcc-12-base Installed Version: 12.2.0-14 Fixed Version: References: access.redhat.com gcc.gnu.org gcc.gnu.org gcc.gnu.org gcc.gnu.org gcc.gnu.org lists.fedoraproject.org nvd.nist.gov sourceware.org www.cve.org
LOW	CVE-2023-4039: gcc: -fstack-protector fails to guard dynamic stack allocations on ARM64 DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself. Package Name: gcc-12-base Installed Version: 12.2.0-14 Fixed Version: 12.2.0-14+deb12u1 References: access.redhat.com developer.arm.com gcc.gnu.org gcc.gnu.org github.com inbox.sourceware.org linux.oracle.com linux.oracle.com nvd.nist.gov rtx.meta.security www.cve.org
LOW	CVE-2022-3219: gnupg: denial of service issue (resource consumption) using compressed packets GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB. Package Name: gpgv Installed Version: 2.2.40-1.1 Fixed Version: References: access.redhat.com bugzilla.redhat.com dev.gnupg.org dev.gnupg.org marc.info nvd.nist.gov security.netapp.com www.cve.org
LOW	CVE-2025-30258: gnupg: verification DoS due to a malicious subkey in the keyring In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS." Package Name: gpgv Installed Version: 2.2.40-1.1 Fixed Version: References: access.redhat.com dev.gnupg.org dev.gnupg.org lists.gnupg.org nvd.nist.gov ubuntu.com www.cve.org
LOW	CVE-2011-3374: It was found that apt-key in apt, all versions, do not correctly valid ... It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. Package Name: libapt-pkg6.0 Installed Version: 2.6.1 Fixed Version: References: access.redhat.com bugs.debian.org people.canonical.com seclists.org security-tracker.debian.org snyk.io ubuntu.com
LOW	CVE-2022-0563: util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. Package Name: libblkid1 Installed Version: 2.38.1-5+deb12u1 Fixed Version: References: access.redhat.com blog.trailofbits.com lore.kernel.org lore.kernel.org nvd.nist.gov security.gentoo.org security.netapp.com www.cve.org
LOW	CVE-2010-4756: glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. Package Name: libc-bin Installed Version: 2.36-9+deb12u7 Fixed Version: References: cxib.net securityreason.com securityreason.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com nvd.nist.gov www.cve.org
LOW	CVE-2018-20796: glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227\|)(\\1\\1\|t1\|\\\2537)+' in grep. Package Name: libc-bin Installed Version: 2.36-9+deb12u7 Fixed Version: References: www.securityfocus.com access.redhat.com debbugs.gnu.org lists.gnu.org nvd.nist.gov security.netapp.com support.f5.com www.cve.org
LOW	CVE-2019-1010022: glibc: stack guard protection bypass GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. Package Name: libc-bin Installed Version: 2.36-9+deb12u7 Fixed Version: References: access.redhat.com nvd.nist.gov security-tracker.debian.org sourceware.org sourceware.org ubuntu.com www.cve.org
LOW	CVE-2019-1010023: glibc: running ldd on malicious ELF leads to code execution because of wrong size computation GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. Package Name: libc-bin Installed Version: 2.36-9+deb12u7 Fixed Version: References: www.securityfocus.com access.redhat.com nvd.nist.gov security-tracker.debian.org sourceware.org support.f5.com ubuntu.com www.cve.org
LOW	CVE-2019-1010024: glibc: ASLR bypass using cache of thread stack and heap GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. Package Name: libc-bin Installed Version: 2.36-9+deb12u7 Fixed Version: References: www.securityfocus.com access.redhat.com nvd.nist.gov security-tracker.debian.org sourceware.org support.f5.com support.f5.com ubuntu.com www.cve.org
LOW	CVE-2019-1010025: glibc: information disclosure of heap addresses of pthread_created thread GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability. Package Name: libc-bin Installed Version: 2.36-9+deb12u7 Fixed Version: References: access.redhat.com nvd.nist.gov security-tracker.debian.org sourceware.org support.f5.com support.f5.com ubuntu.com www.cve.org
LOW	CVE-2019-9192: glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\|)(\\1\\1)' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern Package Name:* libc-bin Installed Version: 2.36-9+deb12u7 Fixed Version: References: access.redhat.com nvd.nist.gov sourceware.org support.f5.com www.cve.org
LOW	CVE-2010-4756: glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. Package Name: libc6 Installed Version: 2.36-9+deb12u7 Fixed Version: References: cxib.net securityreason.com securityreason.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com nvd.nist.gov www.cve.org
LOW	CVE-2018-20796: glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227\|)(\\1\\1\|t1\|\\\2537)+' in grep. Package Name: libc6 Installed Version: 2.36-9+deb12u7 Fixed Version: References: www.securityfocus.com access.redhat.com debbugs.gnu.org lists.gnu.org nvd.nist.gov security.netapp.com support.f5.com www.cve.org
LOW	CVE-2019-1010022: glibc: stack guard protection bypass GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. Package Name: libc6 Installed Version: 2.36-9+deb12u7 Fixed Version: References: access.redhat.com nvd.nist.gov security-tracker.debian.org sourceware.org sourceware.org ubuntu.com www.cve.org
LOW	CVE-2019-1010023: glibc: running ldd on malicious ELF leads to code execution because of wrong size computation GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. Package Name: libc6 Installed Version: 2.36-9+deb12u7 Fixed Version: References: www.securityfocus.com access.redhat.com nvd.nist.gov security-tracker.debian.org sourceware.org support.f5.com ubuntu.com www.cve.org
LOW	CVE-2019-1010024: glibc: ASLR bypass using cache of thread stack and heap GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. Package Name: libc6 Installed Version: 2.36-9+deb12u7 Fixed Version: References: www.securityfocus.com access.redhat.com nvd.nist.gov security-tracker.debian.org sourceware.org support.f5.com support.f5.com ubuntu.com www.cve.org
LOW	CVE-2019-1010025: glibc: information disclosure of heap addresses of pthread_created thread GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability. Package Name: libc6 Installed Version: 2.36-9+deb12u7 Fixed Version: References: access.redhat.com nvd.nist.gov security-tracker.debian.org sourceware.org support.f5.com support.f5.com ubuntu.com www.cve.org
LOW	CVE-2019-9192: glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\|)(\\1\\1)' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern Package Name:* libc6 Installed Version: 2.36-9+deb12u7 Fixed Version: References: access.redhat.com nvd.nist.gov sourceware.org support.f5.com www.cve.org
LOW	CVE-2024-2379: curl: QUIC certificate check bypass with wolfSSL libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems. Package Name: libcurl4 Installed Version: 7.88.1-10+deb12u6 Fixed Version: References: seclists.org seclists.org seclists.org www.openwall.com access.redhat.com curl.se curl.se hackerone.com nvd.nist.gov security.netapp.com support.apple.com support.apple.com support.apple.com www.cve.org
LOW	CVE-2025-0167: When asked to use a `.netrc` file for credentials and to follow HT ... When asked to use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance. Package Name: libcurl4 Installed Version: 7.88.1-10+deb12u6 Fixed Version: 7.88.1-10+deb12u11 References: curl.se curl.se hackerone.com nvd.nist.gov security.netapp.com www.cve.org
LOW	CVE-2025-0725: libcurl: Buffer Overflow in libcurl via zlib Integer Overflow When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. Package Name: libcurl4 Installed Version: 7.88.1-10+deb12u6 Fixed Version: References: www.openwall.com www.openwall.com www.openwall.com access.redhat.com curl.se curl.se hackerone.com nvd.nist.gov security.netapp.com www.cve.org
LOW	CVE-2023-52426: expat: recursive XML entity expansion vulnerability libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time. Package Name: libexpat1 Installed Version: 2.5.0-1 Fixed Version: References: access.redhat.com cwe.mitre.org github.com github.com lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.netapp.com www.cve.org
LOW	CVE-2024-28757: expat: XML Entity Expansion libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate). Package Name: libexpat1 Installed Version: 2.5.0-1 Fixed Version: References: www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org github.com github.com linux.oracle.com linux.oracle.com lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
LOW	CVE-2022-27943: binutils: libiberty/rust-demangle.c in GNU GCC 11.2 allows stack exhaustion in demangle_const libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new. Package Name: libgcc-s1 Installed Version: 12.2.0-14 Fixed Version: References: access.redhat.com gcc.gnu.org gcc.gnu.org gcc.gnu.org gcc.gnu.org gcc.gnu.org lists.fedoraproject.org nvd.nist.gov sourceware.org www.cve.org
LOW	CVE-2023-4039: gcc: -fstack-protector fails to guard dynamic stack allocations on ARM64 DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself. Package Name: libgcc-s1 Installed Version: 12.2.0-14 Fixed Version: 12.2.0-14+deb12u1 References: access.redhat.com developer.arm.com gcc.gnu.org gcc.gnu.org github.com inbox.sourceware.org linux.oracle.com linux.oracle.com nvd.nist.gov rtx.meta.security www.cve.org
LOW	CVE-2018-6829: libgcrypt: ElGamal implementation doesn't have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive information cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. Package Name: libgcrypt20 Installed Version: 1.10.1-3 Fixed Version: References: access.redhat.com github.com github.com lists.gnupg.org nvd.nist.gov www.cve.org www.oracle.com
LOW	CVE-2024-2236: libgcrypt: vulnerable to Marvin Attack A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts. Package Name: libgcrypt20 Installed Version: 1.10.1-3 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com dev.gnupg.org errata.almalinux.org github.com gitlab.com linux.oracle.com linux.oracle.com lists.gnupg.org nvd.nist.gov www.cve.org
LOW	CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST) The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. Package Name: libgnutls30 Installed Version: 3.7.9-2+deb12u3 Fixed Version: References: arcticdog.wordpress.com blog.mozilla.com blogs.technet.com blogs.technet.com curl.haxx.se downloads.asterisk.org ekoparty.org eprint.iacr.org eprint.iacr.org googlechromereleases.blogspot.com isc.sans.edu lists.apple.com lists.apple.com lists.apple.com lists.apple.com lists.apple.com lists.apple.com lists.apple.com lists.opensuse.org lists.opensuse.org lists.opensuse.org lists.opensuse.org marc.info marc.info marc.info marc.info marc.info marc.info my.opera.com osvdb.org rhn.redhat.com rhn.redhat.com secunia.com secunia.com secunia.com secunia.com secunia.com secunia.com secunia.com secunia.com secunia.com secunia.com security.gentoo.org security.gentoo.org support.apple.com support.apple.com support.apple.com support.apple.com support.apple.com support.apple.com technet.microsoft.com vnhacker.blogspot.com www.apcmedia.com www.debian.org www.educatedguesswork.org www.ibm.com www.imperialviolet.org www.insecure.cl www.kb.cert.org www.mandriva.com www.opera.com www.opera.com www.opera.com www.opera.com www.opera.com www.opera.com www.opera.com www.oracle.com www.oracle.com www.oracle.com www.redhat.com www.redhat.com www.securityfocus.com www.securityfocus.com www.securitytracker.com www.securitytracker.com www.securitytracker.com www.securitytracker.com www.ubuntu.com www.us-cert.gov access.redhat.com blogs.oracle.com bugzilla.novell.com bugzilla.redhat.com cert-portal.siemens.com docs.microsoft.com h20564.www2.hp.com hermes.opensuse.org hermes.opensuse.org ics-cert.us-cert.gov linux.oracle.com linux.oracle.com nvd.nist.gov oval.cisecurity.org ubuntu.com www.cve.org
LOW	CVE-2018-5709: krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data. Package Name: libgssapi-krb5-2 Installed Version: 1.20.1-2+deb12u2 Fixed Version: References: access.redhat.com github.com lists.apache.org nvd.nist.gov www.cve.org
LOW	CVE-2024-26458: krb5: Memory leak at /krb5/src/lib/rpc/pmap_rmt.c Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. Package Name: libgssapi-krb5-2 Installed Version: 1.20.1-2+deb12u2 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com linux.oracle.com linux.oracle.com mailman.mit.edu nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
LOW	CVE-2024-26461: krb5: Memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. Package Name: libgssapi-krb5-2 Installed Version: 1.20.1-2+deb12u2 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com linux.oracle.com linux.oracle.com mailman.mit.edu nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
LOW	CVE-2023-49463: libheif v1.17.5 was discovered to contain a segmentation violation via ... libheif v1.17.5 was discovered to contain a segmentation violation via the function find_exif_tag at /libheif/exif.cc. Package Name: libheif1 Installed Version: 1.15.1-1 Fixed Version: References: github.com github.com ubuntu.com www.cve.org
LOW	CVE-2024-25269: libheif <= 1.17.6 contains a memory leak in the function JpegEncoder:: ... libheif <= 1.17.6 contains a memory leak in the function JpegEncoder::Encode. This flaw allows an attacker to cause a denial of service attack. Package Name: libheif1 Installed Version: 1.15.1-1 Fixed Version: References: github.com
LOW	CVE-2017-9937: libtiff: memory malloc failure in tif_jbig.c could cause DOS. In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack. Package Name: libjbig0 Installed Version: 2.1-6.1 Fixed Version: References: bugzilla.maptools.org www.securityfocus.com access.redhat.com lists.apache.org nvd.nist.gov ubuntu.com www.cve.org
LOW	CVE-2018-5709: krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data. Package Name: libk5crypto3 Installed Version: 1.20.1-2+deb12u2 Fixed Version: References: access.redhat.com github.com lists.apache.org nvd.nist.gov www.cve.org
LOW	CVE-2024-26458: krb5: Memory leak at /krb5/src/lib/rpc/pmap_rmt.c Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. Package Name: libk5crypto3 Installed Version: 1.20.1-2+deb12u2 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com linux.oracle.com linux.oracle.com mailman.mit.edu nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
LOW	CVE-2024-26461: krb5: Memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. Package Name: libk5crypto3 Installed Version: 1.20.1-2+deb12u2 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com linux.oracle.com linux.oracle.com mailman.mit.edu nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
LOW	CVE-2018-5709: krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data. Package Name: libkrb5-3 Installed Version: 1.20.1-2+deb12u2 Fixed Version: References: access.redhat.com github.com lists.apache.org nvd.nist.gov www.cve.org
LOW	CVE-2024-26458: krb5: Memory leak at /krb5/src/lib/rpc/pmap_rmt.c Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. Package Name: libkrb5-3 Installed Version: 1.20.1-2+deb12u2 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com linux.oracle.com linux.oracle.com mailman.mit.edu nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
LOW	CVE-2024-26461: krb5: Memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. Package Name: libkrb5-3 Installed Version: 1.20.1-2+deb12u2 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com linux.oracle.com linux.oracle.com mailman.mit.edu nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
LOW	CVE-2018-5709: krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data. Package Name: libkrb5support0 Installed Version: 1.20.1-2+deb12u2 Fixed Version: References: access.redhat.com github.com lists.apache.org nvd.nist.gov www.cve.org
LOW	CVE-2024-26458: krb5: Memory leak at /krb5/src/lib/rpc/pmap_rmt.c Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. Package Name: libkrb5support0 Installed Version: 1.20.1-2+deb12u2 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com linux.oracle.com linux.oracle.com mailman.mit.edu nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
LOW	CVE-2024-26461: krb5: Memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. Package Name: libkrb5support0 Installed Version: 1.20.1-2+deb12u2 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com linux.oracle.com linux.oracle.com mailman.mit.edu nvd.nist.gov security.netapp.com ubuntu.com www.cve.org
LOW	CVE-2015-3276: openldap: incorrect multi-keyword mode cipherstring parsing The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors. Package Name: libldap-2.5-0 Installed Version: 2.5.13+dfsg-5 Fixed Version: References: rhn.redhat.com www.oracle.com www.securitytracker.com access.redhat.com bugzilla.redhat.com linux.oracle.com linux.oracle.com nvd.nist.gov www.cve.org
LOW	CVE-2017-14159: openldap: Privilege escalation via PID file manipulation slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill `cat /pathname`" command, as demonstrated by openldap-initscript. Package Name: libldap-2.5-0 Installed Version: 2.5.13+dfsg-5 Fixed Version: References: www.openldap.org access.redhat.com nvd.nist.gov www.cve.org www.oracle.com
LOW	CVE-2017-17740: openldap: contrib/slapd-modules/nops/nops.c attempts to free stack buffer allowing remote attackers to cause a denial of service contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. Package Name: libldap-2.5-0 Installed Version: 2.5.13+dfsg-5 Fixed Version: References: lists.opensuse.org lists.opensuse.org www.openldap.org access.redhat.com kc.mcafee.com nvd.nist.gov www.cve.org www.oracle.com
LOW	CVE-2020-15719: openldap: Certificate validation incorrectly matches name against CN-ID libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux. Package Name: libldap-2.5-0 Installed Version: 2.5.13+dfsg-5 Fixed Version: References: lists.opensuse.org lists.opensuse.org access.redhat.com access.redhat.com bugs.openldap.org bugzilla.redhat.com kc.mcafee.com nvd.nist.gov www.cve.org www.oracle.com
LOW	CVE-2022-0563: util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. Package Name: libmount1 Installed Version: 2.38.1-5+deb12u1 Fixed Version: References: access.redhat.com blog.trailofbits.com lore.kernel.org lore.kernel.org nvd.nist.gov security.gentoo.org security.netapp.com www.cve.org
LOW	CVE-2021-4214: libpng: hardcoded value leads to heap-overflow A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service. Package Name: libpng16-16 Installed Version: 1.6.39-2 Fixed Version: References: access.redhat.com bugzilla.redhat.com github.com nvd.nist.gov security-tracker.debian.org security.netapp.com www.cve.org
LOW	CVE-2022-0563: util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. Package Name: libsmartcols1 Installed Version: 2.38.1-5+deb12u1 Fixed Version: References: access.redhat.com blog.trailofbits.com lore.kernel.org lore.kernel.org nvd.nist.gov security.gentoo.org security.netapp.com www.cve.org
LOW	CVE-2024-2511: openssl: Unbounded memory growth with session handling in TLSv1.3 Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue. Package Name: libssl3 Installed Version: 3.0.13-1~deb12u1 Fixed Version: 3.0.14-1~deb12u1 References: www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org github.com github.com github.com github.openssl.org linux.oracle.com linux.oracle.com nvd.nist.gov security.netapp.com ubuntu.com www.cve.org www.openssl.org www.openssl.org
LOW	CVE-2024-9143: openssl: Low-level invalid GF(2^m) parameters lead to OOB memory access Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes. Impact summary: Out of bound memory writes can lead to an application crash or even a possibility of a remote code execution, however, in all the protocols involving Elliptic Curve Cryptography that we're aware of, either only "named curves" are supported, or, if explicit curve parameters are supported, they specify an X9.62 encoding of binary (GF(2^m)) curves that can't represent problematic input values. Thus the likelihood of existence of a vulnerable application is low. In particular, the X9.62 encoding is used for ECC keys in X.509 certificates, so problematic inputs cannot occur in the context of processing X.509 certificates. Any problematic use-cases would have to be using an "exotic" curve encoding. The affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), and various supporting BN_GF2m_() functions. Applications working with "exotic" explicit binary (GF(2^m)) curve parameters, that make it possible to represent invalid field polynomials with a zero constant term, via the above or similar APIs, may terminate abruptly as a result of reading or writing outside of array bounds. Remote code execution cannot easily be ruled out. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Package Name:* libssl3 Installed Version: 3.0.13-1~deb12u1 Fixed Version: 3.0.15-1~deb12u1 References: www.openwall.com www.openwall.com www.openwall.com access.redhat.com github.com github.com github.com github.com github.openssl.org github.openssl.org nvd.nist.gov openssl-library.org security.netapp.com ubuntu.com ubuntu.com www.cve.org
LOW	CVE-2022-27943: binutils: libiberty/rust-demangle.c in GNU GCC 11.2 allows stack exhaustion in demangle_const libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new. Package Name: libstdc++6 Installed Version: 12.2.0-14 Fixed Version: References: access.redhat.com gcc.gnu.org gcc.gnu.org gcc.gnu.org gcc.gnu.org gcc.gnu.org lists.fedoraproject.org nvd.nist.gov sourceware.org www.cve.org
LOW	CVE-2023-4039: gcc: -fstack-protector fails to guard dynamic stack allocations on ARM64 DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself. Package Name: libstdc++6 Installed Version: 12.2.0-14 Fixed Version: 12.2.0-14+deb12u1 References: access.redhat.com developer.arm.com gcc.gnu.org gcc.gnu.org github.com inbox.sourceware.org linux.oracle.com linux.oracle.com nvd.nist.gov rtx.meta.security www.cve.org
LOW	CVE-2013-4392: systemd: TOCTOU race condition when updating file permissions and SELinux security contexts systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files. Package Name: libsystemd0 Installed Version: 252.26-1~deb12u2 Fixed Version: References: bugs.debian.org www.openwall.com access.redhat.com bugzilla.redhat.com nvd.nist.gov www.cve.org
LOW	CVE-2023-31437: An issue was discovered in systemd 253. An attacker can modify a seale ... An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." Package Name: libsystemd0 Installed Version: 252.26-1~deb12u2 Fixed Version: References: github.com github.com github.com
LOW	CVE-2023-31438: An issue was discovered in systemd 253. An attacker can truncate a sea ... An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." Package Name: libsystemd0 Installed Version: 252.26-1~deb12u2 Fixed Version: References: github.com github.com github.com github.com
LOW	CVE-2023-31439: An issue was discovered in systemd 253. An attacker can modify the con ... An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." Package Name: libsystemd0 Installed Version: 252.26-1~deb12u2 Fixed Version: References: github.com github.com github.com github.com
LOW	CVE-2017-16232: libtiff: Memory leaks in tif_open.c, tif_lzw.c, and tif_aux.c LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue Package Name: libtiff6 Installed Version: 4.5.0-6+deb12u1 Fixed Version: References: lists.opensuse.org lists.opensuse.org packetstormsecurity.com seclists.org seclists.org www.openwall.com www.openwall.com www.openwall.com www.openwall.com www.securityfocus.com access.redhat.com nvd.nist.gov www.cve.org
LOW	CVE-2017-17973: libtiff: heap-based use after free in tiff2pdf.c:t2p_writeproc In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue Package Name: libtiff6 Installed Version: 4.5.0-6+deb12u1 Fixed Version: References: bugzilla.maptools.org www.securityfocus.com access.redhat.com bugzilla.novell.com bugzilla.redhat.com nvd.nist.gov www.cve.org
LOW	CVE-2017-5563: libtiff: Heap-buffer overflow in LZWEncode tif_lzw.c LibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution via a crafted bmp image to tools/bmp2tiff. Package Name: libtiff6 Installed Version: 4.5.0-6+deb12u1 Fixed Version: References: bugzilla.maptools.org www.securityfocus.com access.redhat.com nvd.nist.gov security.gentoo.org ubuntu.com usn.ubuntu.com www.cve.org
LOW	CVE-2017-9117: libtiff: Heap-based buffer over-read in bmp2tiff In LibTIFF 4.0.6 and possibly other versions, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, as demonstrated by a heap-based buffer over-read in bmp2tiff. NOTE: mentioning bmp2tiff does not imply that the activation point is in the bmp2tiff.c file (which was removed before the 4.0.7 release). Package Name: libtiff6 Installed Version: 4.5.0-6+deb12u1 Fixed Version: References: bugzilla.maptools.org www.securityfocus.com access.redhat.com gitlab.com nvd.nist.gov ubuntu.com usn.ubuntu.com www.cve.org
LOW	CVE-2018-10126: libtiff: NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c ijg-libjpeg before 9d, as used in tiff2pdf (from LibTIFF) and other products, does not check for a NULL pointer at a certain place in jpeg_fdct_16x16 in jfdctint.c. Package Name: libtiff6 Installed Version: 4.5.0-6+deb12u1 Fixed Version: References: bugzilla.maptools.org access.redhat.com gitlab.com lists.apache.org nvd.nist.gov www.cve.org
LOW	CVE-2022-1210: tiff: Malicious file leads to a denial of service in TIFF File Handler A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used. Package Name: libtiff6 Installed Version: 4.5.0-6+deb12u1 Fixed Version: References: access.redhat.com gitlab.com gitlab.com nvd.nist.gov security.gentoo.org security.netapp.com vuldb.com www.cve.org
LOW	CVE-2023-1916: libtiff: out-of-bounds read in extractImageSection() in tools/tiffcrop.c A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x. Package Name: libtiff6 Installed Version: 4.5.0-6+deb12u1 Fixed Version: References: access.redhat.com gitlab.com gitlab.com gitlab.com gitlab.com nvd.nist.gov support.apple.com ubuntu.com www.cve.org
LOW	CVE-2023-3164: libtiff: heap-buffer-overflow in extractImageSection() A heap-buffer-overflow vulnerability was found in LibTIFF, in extractImageSection() at tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801. This flaw allows attackers to cause a denial of service via a crafted tiff file. Package Name: libtiff6 Installed Version: 4.5.0-6+deb12u1 Fixed Version: References: access.redhat.com bugzilla.redhat.com gitlab.com gitlab.com nvd.nist.gov ubuntu.com www.cve.org
LOW	CVE-2023-6228: libtiff: heap-based buffer overflow in cpStripToTile() in tools/tiffcp.c An issue was found in the tiffcp utility distributed by the libtiff package where a crafted TIFF file on processing may cause a heap-based buffer overflow leads to an application crash. Package Name: libtiff6 Installed Version: 4.5.0-6+deb12u1 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com ubuntu.com www.cve.org
LOW	CVE-2013-4392: systemd: TOCTOU race condition when updating file permissions and SELinux security contexts systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files. Package Name: libudev1 Installed Version: 252.26-1~deb12u2 Fixed Version: References: bugs.debian.org www.openwall.com access.redhat.com bugzilla.redhat.com nvd.nist.gov www.cve.org
LOW	CVE-2023-31437: An issue was discovered in systemd 253. An attacker can modify a seale ... An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." Package Name: libudev1 Installed Version: 252.26-1~deb12u2 Fixed Version: References: github.com github.com github.com
LOW	CVE-2023-31438: An issue was discovered in systemd 253. An attacker can truncate a sea ... An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." Package Name: libudev1 Installed Version: 252.26-1~deb12u2 Fixed Version: References: github.com github.com github.com github.com
LOW	CVE-2023-31439: An issue was discovered in systemd 253. An attacker can modify the con ... An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." Package Name: libudev1 Installed Version: 252.26-1~deb12u2 Fixed Version: References: github.com github.com github.com github.com
LOW	CVE-2022-0563: util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. Package Name: libuuid1 Installed Version: 2.38.1-5+deb12u1 Fixed Version: References: access.redhat.com blog.trailofbits.com lore.kernel.org lore.kernel.org nvd.nist.gov security.gentoo.org security.netapp.com www.cve.org
LOW	CVE-2024-34459: libxml2: buffer over-read in xmlHTMLPrintFileContext in xmllint.c An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c. Package Name: libxml2 Installed Version: 2.9.14+dfsg-1.3~deb12u1 Fixed Version: References: access.redhat.com gitlab.gnome.org gitlab.gnome.org gitlab.gnome.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov ubuntu.com ubuntu.com www.cve.org
LOW	CVE-2015-9019: libxslt: math.random() in xslt uses unseeded randomness In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs. Package Name: libxslt1.1 Installed Version: 1.1.35-1 Fixed Version: References: access.redhat.com bugzilla.gnome.org bugzilla.suse.com nvd.nist.gov www.cve.org
LOW	CVE-2007-5686: initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ... initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers. Package Name: login Installed Version: 1:4.13+dfsg1-1+b1 Fixed Version: References: secunia.com www.securityfocus.com www.securityfocus.com www.securityfocus.com www.vupen.com issues.rpath.com
LOW	CVE-2023-29383: shadow: Improper input validation in shadow-utils package utility chfn In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account. Package Name: login Installed Version: 1:4.13+dfsg1-1+b1 Fixed Version: 1:4.13+dfsg1-1+deb12u1 References: access.redhat.com github.com github.com nvd.nist.gov www.cve.org www.trustwave.com www.trustwave.com
LOW	CVE-2024-56433: shadow-utils: Default subordinate ID configuration in /etc/login.defs could lead to compromise shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid. Package Name: login Installed Version: 1:4.13+dfsg1-1+b1 Fixed Version: References: access.redhat.com github.com github.com github.com nvd.nist.gov www.cve.org
LOW	TEMP-0628843-DBAD28: [more related to CVE-2005-4890] Package Name: login Installed Version: 1:4.13+dfsg1-1+b1 Fixed Version: References:
LOW	CVE-2022-0563: util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. Package Name: mount Installed Version: 2.38.1-5+deb12u1 Fixed Version: References: access.redhat.com blog.trailofbits.com lore.kernel.org lore.kernel.org nvd.nist.gov security.gentoo.org security.netapp.com www.cve.org
LOW	CVE-2009-4487: nginx: Absent sanitation of escape sequences in web server log nginx 0.7.64 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. Package Name: nginx Installed Version: 1.26.1-2~bookworm Fixed Version: References: www.securityfocus.com www.securityfocus.com www.ush.it access.redhat.com nvd.nist.gov www.cve.org
LOW	CVE-2013-0337: The default configuration of nginx, possibly 1.3.13 and earlier, uses ... The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files. Package Name: nginx Installed Version: 1.26.1-2~bookworm Fixed Version: References: secunia.com security.gentoo.org www.openwall.com www.openwall.com www.openwall.com
LOW	CVE-2023-44487: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. Package Name: nginx Installed Version: 1.26.1-2~bookworm Fixed Version: References: www.openwall.com www.openwall.com www.openwall.com www.openwall.com www.openwall.com www.openwall.com www.openwall.com www.openwall.com access.redhat.com access.redhat.com access.redhat.com akka.io arstechnica.com arstechnica.com aws.amazon.com aws.amazon.com blog.cloudflare.com blog.cloudflare.com blog.cloudflare.com blog.cloudflare.com blog.litespeedtech.com blog.litespeedtech.com blog.qualys.com blog.vespa.ai blog.vespa.ai bugzilla.proxmox.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.suse.com cgit.freebsd.org chaos.social cloud.google.com cloud.google.com cloud.google.com community.traefik.io cve.mitre.org devblogs.microsoft.com discuss.hashicorp.com edg.io errata.almalinux.org errata.rockylinux.org forums.swift.org gist.github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com go.dev go.dev go.dev groups.google.com groups.google.com istio.io istio.io linkerd.io linkerd.io linux.oracle.com linux.oracle.com lists.apache.org lists.debian.org lists.debian.org lists.debian.org lists.debian.org lists.debian.org lists.debian.org lists.debian.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.w3.org mailman.nginx.org martinthomson.github.io msrc.microsoft.com msrc.microsoft.com msrc.microsoft.com my.f5.com netty.io news.ycombinator.com news.ycombinator.com news.ycombinator.com news.ycombinator.com nodejs.org nvd.nist.gov openssf.org openssf.org pkg.go.dev seanmonstar.com sec.cloudapps.cisco.com security.gentoo.org security.netapp.com security.netapp.com security.netapp.com security.netapp.com security.netapp.com security.netapp.com security.netapp.com security.netapp.com security.paloaltonetworks.com tomcat.apache.org tomcat.apache.org tomcat.apache.org tomcat.apache.org tomcat.apache.org ubuntu.com ubuntu.com ubuntu.com ubuntu.com ubuntu.com ubuntu.com ubuntu.com ubuntu.com ubuntu.com ubuntu.com ubuntu.com ubuntu.com ubuntu.com ubuntu.com www.bleepingcomputer.com www.bleepingcomputer.com www.cisa.gov www.cisa.gov www.cve.org www.darkreading.com www.debian.org www.debian.org www.debian.org www.debian.org www.debian.org www.debian.org www.eclipse.org www.haproxy.com www.mail-archive.com www.netlify.com www.netlify.com www.nginx.com www.nginx.com www.openwall.com www.phoronix.com www.theregister.com www.theregister.com www.vicarius.io
LOW	CVE-2024-2511: openssl: Unbounded memory growth with session handling in TLSv1.3 Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue. Package Name: openssl Installed Version: 3.0.13-1~deb12u1 Fixed Version: 3.0.14-1~deb12u1 References: www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org github.com github.com github.com github.openssl.org linux.oracle.com linux.oracle.com nvd.nist.gov security.netapp.com ubuntu.com www.cve.org www.openssl.org www.openssl.org
LOW	CVE-2024-9143: openssl: Low-level invalid GF(2^m) parameters lead to OOB memory access Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes. Impact summary: Out of bound memory writes can lead to an application crash or even a possibility of a remote code execution, however, in all the protocols involving Elliptic Curve Cryptography that we're aware of, either only "named curves" are supported, or, if explicit curve parameters are supported, they specify an X9.62 encoding of binary (GF(2^m)) curves that can't represent problematic input values. Thus the likelihood of existence of a vulnerable application is low. In particular, the X9.62 encoding is used for ECC keys in X.509 certificates, so problematic inputs cannot occur in the context of processing X.509 certificates. Any problematic use-cases would have to be using an "exotic" curve encoding. The affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), and various supporting BN_GF2m_() functions. Applications working with "exotic" explicit binary (GF(2^m)) curve parameters, that make it possible to represent invalid field polynomials with a zero constant term, via the above or similar APIs, may terminate abruptly as a result of reading or writing outside of array bounds. Remote code execution cannot easily be ruled out. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Package Name:* openssl Installed Version: 3.0.13-1~deb12u1 Fixed Version: 3.0.15-1~deb12u1 References: www.openwall.com www.openwall.com www.openwall.com access.redhat.com github.com github.com github.com github.com github.openssl.org github.openssl.org nvd.nist.gov openssl-library.org security.netapp.com ubuntu.com ubuntu.com www.cve.org
LOW	CVE-2007-5686: initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ... initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers. Package Name: passwd Installed Version: 1:4.13+dfsg1-1+b1 Fixed Version: References: secunia.com www.securityfocus.com www.securityfocus.com www.securityfocus.com www.vupen.com issues.rpath.com
LOW	CVE-2023-29383: shadow: Improper input validation in shadow-utils package utility chfn In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account. Package Name: passwd Installed Version: 1:4.13+dfsg1-1+b1 Fixed Version: 1:4.13+dfsg1-1+deb12u1 References: access.redhat.com github.com github.com nvd.nist.gov www.cve.org www.trustwave.com www.trustwave.com
LOW	CVE-2024-56433: shadow-utils: Default subordinate ID configuration in /etc/login.defs could lead to compromise shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid. Package Name: passwd Installed Version: 1:4.13+dfsg1-1+b1 Fixed Version: References: access.redhat.com github.com github.com github.com nvd.nist.gov www.cve.org
LOW	TEMP-0628843-DBAD28: [more related to CVE-2005-4890] Package Name: passwd Installed Version: 1:4.13+dfsg1-1+b1 Fixed Version: References:
LOW	CVE-2011-4116: perl: File:: Temp insecure temporary file handling _is_safe in the File::Temp module for Perl does not properly handle symlinks. Package Name: perl-base Installed Version: 5.36.0-7+deb12u1 Fixed Version: References: www.openwall.com www.openwall.com access.redhat.com github.com nvd.nist.gov rt.cpan.org seclists.org www.cve.org
LOW	CVE-2023-31486: http-tiny: insecure TLS cert default HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. Package Name: perl-base Installed Version: 5.36.0-7+deb12u1 Fixed Version: References: www.openwall.com www.openwall.com www.openwall.com www.openwall.com access.redhat.com access.redhat.com blog.hackeriet.no bugzilla.redhat.com errata.almalinux.org github.com hackeriet.github.io linux.oracle.com linux.oracle.com nvd.nist.gov security.netapp.com www.cve.org www.openwall.com www.openwall.com www.reddit.com
LOW	TEMP-0517018-A83CE6: [sysvinit: no-root option in expert installer exposes locally exploitable security flaw] Package Name: sysvinit-utils Installed Version: 3.06-4 Fixed Version: References:
LOW	CVE-2005-2541: tar: does not properly warn the user when extracting setuid or setgid files Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges. Package Name: tar Installed Version: 1.34+dfsg-1.2+deb12u1 Fixed Version: References: marc.info access.redhat.com lists.apache.org nvd.nist.gov www.cve.org
LOW	TEMP-0290435-0B57B5: [tar's rmt command may have undesired side effects] Package Name: tar Installed Version: 1.34+dfsg-1.2+deb12u1 Fixed Version: References:
LOW	CVE-2022-0563: util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. Package Name: util-linux Installed Version: 2.38.1-5+deb12u1 Fixed Version: References: access.redhat.com blog.trailofbits.com lore.kernel.org lore.kernel.org nvd.nist.gov security.gentoo.org security.netapp.com www.cve.org
LOW	CVE-2022-0563: util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. Package Name: util-linux-extra Installed Version: 2.38.1-5+deb12u1 Fixed Version: References: access.redhat.com blog.trailofbits.com lore.kernel.org lore.kernel.org nvd.nist.gov security.gentoo.org security.netapp.com www.cve.org
UNKNOWN	CVE-2025-48175: In libavif before 1.3.0, avifImageRGBToYUV in reformat.c has integer o ... In libavif before 1.3.0, avifImageRGBToYUV in reformat.c has integer overflows in multiplications involving rgbRowBytes, yRowBytes, uRowBytes, and vRowBytes. Package Name: libavif15 Installed Version: 0.11.1-1 Fixed Version: 0.11.1-1+deb12u1 References: github.com github.com github.com

Package statistics are no longer available on cloudsmith.io. Please visit our new web app to access this feature.

You can embed a badge in another website that shows this or the latest version of this package.

To embed the badge for this specific package version, use the following:

[![This version of 'nginx' @ Cloudsmith](https://api.cloudsmith.com/v1/badges/version/demo-docs/awesome-repo/docker/nginx/1.26.1/a=arm64;xpo=linux/?render=true)](https://cloudsmith.io/~demo-docs/repos/awesome-repo/packages/detail/docker/nginx/757cdfb779a9c6036b2374a0b2557bdccc286cbf21184dd76a92bade584666aa/a=arm64;xpo=linux/)

|This version of 'nginx' @ Cloudsmith|
.. |This version of 'nginx' @ Cloudsmith| image:: https://api.cloudsmith.com/v1/badges/version/demo-docs/awesome-repo/docker/nginx/1.26.1/a=arm64;xpo=linux/?render=true
   :target: https://cloudsmith.io/~demo-docs/repos/awesome-repo/packages/detail/docker/nginx/757cdfb779a9c6036b2374a0b2557bdccc286cbf21184dd76a92bade584666aa/a=arm64;xpo=linux/

image::https://api.cloudsmith.com/v1/badges/version/demo-docs/awesome-repo/docker/nginx/1.26.1/a=arm64;xpo=linux/?render=true[link="https://cloudsmith.io/~demo-docs/repos/awesome-repo/packages/detail/docker/nginx/757cdfb779a9c6036b2374a0b2557bdccc286cbf21184dd76a92bade584666aa/a=arm64;xpo=linux/",title="This version of 'nginx' @ Cloudsmith"]

<a href="https://cloudsmith.io/~demo-docs/repos/awesome-repo/packages/detail/docker/nginx/757cdfb779a9c6036b2374a0b2557bdccc286cbf21184dd76a92bade584666aa/a=arm64;xpo=linux/"><img src="https://api.cloudsmith.com/v1/badges/version/demo-docs/awesome-repo/docker/nginx/1.26.1/a=arm64;xpo=linux/?render=true" alt="This version of 'nginx' @ Cloudsmith" /></a>

rendered as:

To embed the badge for the latest package version, use the following:

[![Latest version of 'nginx' @ Cloudsmith](https://api.cloudsmith.com/v1/badges/version/demo-docs/awesome-repo/docker/nginx/latest/a=arm64;xpo=linux/?render=true&show_latest=true)](https://cloudsmith.io/~demo-docs/repos/awesome-repo/packages/detail/docker/nginx/latest/a=arm64;xpo=linux/)

|Latest version of 'nginx' @ Cloudsmith|
.. |Latest version of 'nginx' @ Cloudsmith| image:: https://api.cloudsmith.com/v1/badges/version/demo-docs/awesome-repo/docker/nginx/latest/a=arm64;xpo=linux/?render=true&show_latest=true
   :target: https://cloudsmith.io/~demo-docs/repos/awesome-repo/packages/detail/docker/nginx/latest/a=arm64;xpo=linux/

image::https://api.cloudsmith.com/v1/badges/version/demo-docs/awesome-repo/docker/nginx/latest/a=arm64;xpo=linux/?render=true&show_latest=true[link="https://cloudsmith.io/~demo-docs/repos/awesome-repo/packages/detail/docker/nginx/latest/a=arm64;xpo=linux/",title="Latest version of 'nginx' @ Cloudsmith"]

<a href="https://cloudsmith.io/~demo-docs/repos/awesome-repo/packages/detail/docker/nginx/latest/a=arm64;xpo=linux/"><img src="https://api.cloudsmith.com/v1/badges/version/demo-docs/awesome-repo/docker/nginx/latest/a=arm64;xpo=linux/?render=true&show_latest=true" alt="Latest version of 'nginx' @ Cloudsmith" /></a>

rendered as:

Previous Version

Next Version: 1.27.5-alpine

	Digest: sha256:aa6fbc30c84e14e64571d3d7b547ea801dfca8a7bd74bd930b5ea5de3eb2f442 Command: /bin/sh -c #(nop) ADD file:4aa9ddc52f046592777767c91a04b9490d98811bedb8980fca794d55bbad1a0f in /	27.8 MB
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: /bin/sh -c #(nop) CMD ["bash"]	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: LABEL maintainer=NGINX Docker Maintainers <docker-maint@nginx.com>	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENV NGINX_VERSION=1.26.1	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENV NJS_VERSION=0.8.4	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENV NJS_RELEASE=2~bookworm	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENV PKG_RELEASE=2~bookworm	32 bytes
	Digest: sha256:e39144dba772d82761eb314e96489172df9227806078392479d266e8f266bf6e Command: RUN /bin/sh -c set -x && groupadd --system --gid 101 nginx && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx && apt-get update && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates && NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; export GNUPGHOME="$(mktemp -d)"; found=''; for NGINX_GPGKEY in $NGINX_GPGKEYS; do for server in hkp://keyserver.ubuntu.com:80 pgp.mit.edu ; do echo "Fetching GPG key $NGINX_GPGKEY from $server"; gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; done; test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; done; gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; rm -rf "$GNUPGHOME"; apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* && dpkgArch="$(dpkg --print-architecture)" && nginxPackages=" nginx=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} " && case "$dpkgArch" in amd64\|arm64) echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list && apt-get update ;; ) echo "deb-src [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list && tempDir="$(mktemp -d)" && chmod 777 "$tempDir" && savedAptMark="$(apt-mark showmanual)" && apt-get update && apt-get build-dep -y $nginxPackages && ( cd "$tempDir" && DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" apt-get source --compile $nginxPackages ) && apt-mark showmanual \| xargs apt-mark auto > /dev/null && { [ -z "$savedAptMark" ] \|\| apt-mark manual $savedAptMark; } && ls -lAFh "$tempDir" && ( cd "$tempDir" && dpkg-scanpackages . > Packages ) && grep '^Package: ' "$tempDir/Packages" && echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list && apt-get -o Acquire::GzipIndexes=false update ;; esac && apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages gettext-base curl && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/ /etc/apt/sources.list.d/nginx.list && if [ -n "$tempDir" ]; then apt-get purge -y --auto-remove && rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; fi && ln -sf /dev/stdout /var/log/nginx/access.log && ln -sf /dev/stderr /var/log/nginx/error.log && mkdir /docker-entrypoint.d # buildkit	36.7 MB
	Digest: sha256:476b25f56a8b8f40012c69d109cdcd36d301f56a9e3b39fd0cf2a0dce916ce9f Command: COPY docker-entrypoint.sh / # buildkit	629 bytes
	Digest: sha256:4d6706039ccefb668ba94617753373178f39230572a1dcf3b97cd67b2870bfcc Command: COPY 10-listen-on-ipv6-by-default.sh /docker-entrypoint.d # buildkit	955 bytes
	Digest: sha256:1dcf5cf9f2d143104b2d2f4b77e248e3d45274f12baed6f5869bb4266005c922 Command: COPY 15-local-resolvers.envsh /docker-entrypoint.d # buildkit	393 bytes
	Digest: sha256:cc69841226e0e04a4ebc2eae3922c83c83b1002c1ac8bad3f170a3fffbb783e9 Command: COPY 20-envsubst-on-templates.sh /docker-entrypoint.d # buildkit	1.2 KB
	Digest: sha256:8cc6eb4a844971ec31299340884a230d6fac41ebb53f0925c6e9cf77c1a7b287 Command: COPY 30-tune-worker-processes.sh /docker-entrypoint.d # buildkit	1.4 KB
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENTRYPOINT ["/docker-entrypoint.sh"]	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: EXPOSE map[80/tcp:{}]	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: STOPSIGNAL SIGQUIT	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: CMD ["nginx" "-g" "daemon off;"]	32 bytes

Medium severity CVEs:

nginx 1.26.1

One-liner (summary)

Description

License

Size

Downloads

Tags

nginx

nginx

nginx

nginx

nginx

Last scanned

Scan result

Vulnerability count

Max. severity

CVE-2023-6879: aom: heap-buffer-overflow on frame size change

CVE-2024-5171: libaom: Integer overflow in internal function img_alloc_helper

CVE-2025-48174: In libavif before 1.3.0, makeRoom in stream.c has an integer overflow ...

CVE-2024-45491: libexpat: Integer Overflow or Wraparound

CVE-2024-45492: libexpat: integer overflow

CVE-2023-45853: zlib: integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6

CVE-2023-39616: AOMedia v3.0.0 to v3.5.0 was discovered to contain an invalid read mem ...

CVE-2025-4802: glibc: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH

CVE-2025-4802: glibc: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH

CVE-2023-52425: expat: parsing large tokens can trigger a denial of service

CVE-2024-45490: libexpat: Negative Length Parsing Vulnerability in libexpat

CVE-2024-8176: libexpat: expat: Improper Restriction of XML Entity Expansion Depth in libexpat

CVE-2025-27363: freetype: OOB write when attempting to parse font subglyph structures related to TrueType GX and variable font files

CVE-2023-49462: libheif v1.17.5 was discovered to contain a segmentation violation via ...

CVE-2024-41311: In Libheif 1.17.6, insufficient checks in ImageOverlay::parse() decodi ...

CVE-2025-5222: icu: Stack buffer overflow in the SRBRoot::addTag function

CVE-2023-2953: openldap: null pointer dereference in ber_memalloc_x function

CVE-2025-31115: xz: XZ has a heap-use-after-free bug in threaded .xz decoder

CVE-2024-6119: openssl: Possible denial of service in X.509 name checks

CVE-2023-52355: libtiff: TIFFRasterScanlineSize64 produce too-big size and could cause OOM

CVE-2023-52356: libtiff: Segment fault in libtiff in TIFFReadRGBATileExt() leading to denial of service

CVE-2024-7006: libtiff: NULL pointer dereference in tif_dirinfo.c

CVE-2024-25062: libxml2: use-after-free in XMLReader

CVE-2024-56171: libxml2: Use-After-Free in libxml2

CVE-2025-24928: libxml2: Stack-based buffer overflow in xmlSnprintfElements of libxml2

CVE-2025-27113: libxml2: NULL Pointer Dereference in libxml2 xmlPatMatch

CVE-2025-32414: libxml2: Out-of-Bounds Read in libxml2

CVE-2025-32415: libxml2: Out-of-bounds Read in xmlSchemaIDCFillNodeTables

CVE-2024-55549: libxslt: Use-After-Free in libxslt (xsltGetInheritedNsList)

CVE-2025-24855: libxslt: Use-After-Free in libxslt numbers.c

CVE-2024-6119: openssl: Possible denial of service in X.509 name checks

CVE-2023-31484: perl: CPAN.pm does not verify TLS certificates when downloading distributions over HTTPS

CVE-2024-56406: perl: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes

CVE-2024-11053: curl: curl netrc password leak

CVE-2024-7264: curl: libcurl: ASN.1 date parser overread

CVE-2024-8096: curl: OCSP stapling bypass with GnuTLS

CVE-2024-9681: curl: HSTS subdomain overwrites parent cache entry

CVE-2025-0838: abseil-cpp: Heap Buffer overflow in Abseil

CVE-2025-0395: glibc: buffer overflow in the GNU C Library's assert()

CVE-2025-0395: glibc: buffer overflow in the GNU C Library's assert()

CVE-2025-1390: libcap: pam_cap: Fix potential configuration parsing error

CVE-2024-11053: curl: curl netrc password leak

CVE-2024-7264: curl: libcurl: ASN.1 date parser overread

CVE-2024-8096: curl: OCSP stapling bypass with GnuTLS

CVE-2024-9681: curl: HSTS subdomain overwrites parent cache entry

CVE-2023-32570: VideoLAN dav1d before 1.2.0 has a thread_task.c race condition that ca ...

CVE-2023-51792: Buffer Overflow vulnerability in libde265 v1.0.12 allows a local attac ...

CVE-2024-38949: Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attacker ...

CVE-2024-38950: Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attacker ...

CVE-2024-50602: libexpat: expat: DoS via XML_ResumeParser

CVE-2024-12243: gnutls: GnuTLS Impacted by Inefficient DER Decoding in libtasn1 Leading to Remote DoS

CVE-2024-26462: krb5: Memory leak at /krb5/src/kdc/ndr.c

CVE-2025-24528: krb5: overflow when calculating ulog block size

CVE-2025-3576: krb5: Kerberos RC4-HMAC-MD5 Checksum Vulnerability Enabling Message Spoofing via MD5 Collisions

CVE-2023-29659: A Segmentation fault caused by a floating point exception exists in li ...

CVE-2024-26462: krb5: Memory leak at /krb5/src/kdc/ndr.c

CVE-2025-24528: krb5: overflow when calculating ulog block size

CVE-2025-3576: krb5: Kerberos RC4-HMAC-MD5 Checksum Vulnerability Enabling Message Spoofing via MD5 Collisions

CVE-2024-26462: krb5: Memory leak at /krb5/src/kdc/ndr.c

CVE-2025-24528: krb5: overflow when calculating ulog block size

CVE-2025-3576: krb5: Kerberos RC4-HMAC-MD5 Checksum Vulnerability Enabling Message Spoofing via MD5 Collisions

CVE-2024-26462: krb5: Memory leak at /krb5/src/kdc/ndr.c

CVE-2025-24528: krb5: overflow when calculating ulog block size

CVE-2025-0167: When asked to use a `.netrc` file for credentials and to follow HT ...

CVE-2025-0167: When asked to use a `.netrc` file for credentials and to follow HT ...