Package Search Help
You can use boolean logic (e.g. AND/OR/NOT) for complex search queries. For more help and examples, see the search documentation.
Search by package name:
my-package (implicit)
name:my-package (explicit)
Search by package filename:
filename:my-package.ext
Search by package tag:
tag:latest
Search by package version:
version:1.0.0
prerelease:true (prereleases)
prerelease:false (no prereleases)
Search by package architecture:
architecture:x86_64
Search by package distribution:
distribution:el
Search by package license:
license:MIT
Search by package format:
format:deb
Search by package status:
status:in_progress
Search by package file checksum:
checksum:5afba
Search by package security status:
severity:critical
Search by package vulnerabilities:
vulnerabilities:>1
vulnerabilities:<1000
Search by # of package downloads:
downloads:>8
downloads:<100
Search by package type:
type:binary
type:source
Search by package size (bytes):
size:>50000
size:<10000
Search by dependency name/version:
dependency:log4j
dependency:log4j=1.0.0
dependency:log4j>1.0.0
Search by uploaded date:
uploaded:>"1 day ago"
uploaded:<"August 14, 2022 EST"
Search by entitlement token (identifier):
entitlement:3lKPVJPosCsY
Search by policy violation:
policy_violated:true
deny_policy_violated:true
license_policy_violated:true
vulnerability_policy_violated:true
Search by repository:
repository:repo-name
Search by last download date:
last_downloaded:<"30 days ago"
last_downloaded:>"August 14, 2022 EST"
Search queries for all Debian-specific (and related) package types
Search by component:
deb_component:unstable
Search queries for all Maven-specific (and related) package types
Search by group ID:
maven_group_id:org.apache
Search queries for all Docker-specific (and related) package types
Search by image digest:
docker_image_digest:sha256:7c5..6d4
(full hashref only)
Search by layer digest:
docker_layer_digest:sha256:4c4..ae4
(full hashref only)
Search queries for all Generic-specific package types
Search by file path:
generic_filepath:path/to/file.txt
Search by directory:
generic_directory:path/to
Field type modifiers (depending on the type, you can influence behaviour)
For all queries, you can use:
~foo for negation
For string queries, you can use:
^foo to anchor to start of term
foo$ to anchor to end of term
foo*bar for fuzzy matching
For number/date or version queries, you can use:
>foo for values greater than
>=foo for values greater / equal
<foo for values less than
<=foo for values less / equal
Need a secure and centralised artifact repository to deliver Alpine,
Cargo,
CocoaPods,
Composer,
Conan,
Conda,
CRAN,
Dart,
Debian,
Docker,
Generic,
Go,
Helm,
Hex,
HuggingFace,
LuaRocks,
Maven,
MCP,
npm,
NuGet,
P2,
Python,
RedHat,
Ruby,
Swift,
Terraform,
Vagrant,
VSX,
Raw & More packages?
Cloudsmith is the new standard in Package / Artifact Management and Software Distribution.
With support for all major package formats, you can trust us to manage your software supply chain.
eventstore
(Kurrent)
/
eventstore-utils
A certifiably-awesome public package repository curated by Kurrent, hosted by Cloudsmith.
testdata
24.2.0.0-nightly-focal
One-liner (summary)
A certifiably-awesome package curated by Hayley Campbell, hosted by Cloudsmith.
Description
A certifiably-awesome package curated by Hayley Campbell, hosted by Cloudsmith.
| Status | Completed |
|---|---|
| GPG Signature | |
| Storage Region | Dublin, Ireland |
| Type | Binary (contains binaries and binary artifacts) |
| Uploaded At | 2 years, 4 months ago |
| Uploaded By |
|
| Slug Id | testdata-QRC |
| Unique Id | qCZOIPDyJDNi |
| Version (Raw) | 24.2.0.0-nightly-focal |
| Version (Parsed) |
|
| Orig Version (Raw) | 2d7f9ecd9ebadf2534f1eff0f3eafe4530e877dbdc2659e5050927bc489d7390 |
| Orig Version (Parsed) |
|
| docker-specific metadata | |
| Image Digest | sha256:2d7f9ecd9ebadf2534f1eff0f3eafe4530e877dbdc2659e5050927bc489d7390 |
| Config Digest | sha256:dae3968503afc4c6753fb773292adc1fbf5c4f3c40e09572c8d4d9fd9535b04b |
| V1 OCI Index Digest | sha256:625d6de312bf6356d16a48331c3cc630185c5aa9615a74698604ef5eff7bf66a |
| V1 Distribution (Signed) Digest | sha256:130e42fc0ce9b943ece024969b005470e18610b23f75b97daa005b896d1f0e02 |
| V1 OCI Digest | sha256:36cbfdb69533f9d691af2b80ed91d0a4ebe0df9d5a21e136508d8f31dce6c855 |
| V2 Distribution List Digest | sha256:8c1d2a74e8134bb3c5e605094b4b4ff28de6b0b9ee887d773a5bfe3cb2348649 |
| V1 Distribution Digest | sha256:03f381dda074f275fb59f130b70ced579e7bc910addc8bb1c5253e43786d8fd4 |
| V2 Distribution Digest | sha256:2d7f9ecd9ebadf2534f1eff0f3eafe4530e877dbdc2659e5050927bc489d7390 |
| extended metadata | |
| Manifest Type | V2 Distribution |
| Architecture | amd64 |
| Config | |
| Created | 2023-11-29 12:46:36 UTC |
| Os | linux |
This package was uploaded with the following V2 Distribution manifest:
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"size": 7109,
"digest": "sha256:f700928ac53c857260b4e28965bcb282fb49d3aef0122ad3fc2d7377af084f26"
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 30446558,
"digest": "sha256:633dff5e2ec0d99ed18fff650f3699c6c2fba866d5e138b1c8e03760f243609f"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 16706011,
"digest": "sha256:b43f9ed56249832a9c5b4eace375afb617534609a6549532bf81b3a459b818ec"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 3525,
"digest": "sha256:df95bef52ef482ae81fcf04c1514d459a3e1dd1ce7592fdef133521cf18ab3c5"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 1823783,
"digest": "sha256:8d43a4b17ca8a9ba57dd968a602aa1b0178b49367c86e2f8ffe7ebe5ec94096f"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 117,
"digest": "sha256:2e7fb5bdc405536d27434effd1f794a585c1524dd10ec11e9488dc24f26f5797"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 1849,
"digest": "sha256:5ba3bf63fbf7f0778bf71cd9a116d12a33835566fe7212d19618195c02946cce"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 58166171,
"digest": "sha256:abe47882c927368f59aef1fd675c57cb99015326fe1c37c669c56b9916edd552"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 192,
"digest": "sha256:14a6286f722c944675f92a565da76393a0a235b77baf515f42ab1861e477a2e0"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 191,
"digest": "sha256:40e3153299bb4e54d592d6da6ce2941e18dfd812cff4a436bb8fd61d00ffa75c"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 97,
"digest": "sha256:a8f97d2049ab10c48dc1d85142394acf8efc05c73db3bd9959eb1d7ef7e61225"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 150,
"digest": "sha256:208412cdeb369000d3a3b149fd8c9458db9e6321473ef304f2fda01566289d42"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 6388393,
"digest": "sha256:0629a32a94e2df28ad13027278aab260dcd7bd0ef90248d057ae48fb463508c5"
}
]
}|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: /bin/sh -c #(nop) ARG RELEASE |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: /bin/sh -c #(nop) ARG LAUNCHPAD_BUILD_ARCH |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: /bin/sh -c #(nop) LABEL org.opencontainers.image.ref.name=ubuntu |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: /bin/sh -c #(nop) LABEL org.opencontainers.image.version=22.04 |
32 bytes | ||
|
Digest:
sha256:633dff5e2ec0d99ed18fff650f3699c6c2fba866d5e138b1c8e03760f243609f
Command: /bin/sh -c #(nop) ADD file:a91f0885fb0a3435afc34aa876fa0436196193cd9f3fb5a1c51415b60dee2394 in / |
29.0 MB | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: /bin/sh -c #(nop) CMD ["/bin/bash"] |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ENV APP_UID=1654 ASPNETCORE_HTTP_PORTS=8080 DOTNET_RUNNING_IN_CONTAINER=true |
32 bytes | ||
|
Digest:
sha256:b43f9ed56249832a9c5b4eace375afb617534609a6549532bf81b3a459b818ec
Command: RUN /bin/sh -c apt-get update && apt-get install -y --no-install-recommends ca-certificates libc6 libgcc-s1 libicu70 libssl3 libstdc++6 tzdata zlib1g && rm -rf /var/lib/apt/lists/* # buildkit |
15.9 MB | ||
|
Digest:
sha256:df95bef52ef482ae81fcf04c1514d459a3e1dd1ce7592fdef133521cf18ab3c5
Command: RUN /bin/sh -c groupadd --gid=$APP_UID app && useradd -l --uid=$APP_UID --gid=$APP_UID --create-home app # buildkit |
3.4 KB | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ARG RUNTIME=linux-x64 |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ARG UID=1000 |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ARG GID=1000 |
32 bytes | ||
|
Digest:
sha256:8d43a4b17ca8a9ba57dd968a602aa1b0178b49367c86e2f8ffe7ebe5ec94096f
Command: RUN |3 RUNTIME=linux-x64 UID=1000 GID=1000 /bin/sh -c if [[ "${RUNTIME}" = "linux-musl-x64" ]]; then apk update && apk add --no-cache curl; else apt update && apt install -y curl && rm -rf /var/lib/apt/lists/*; fi # buildkit |
1.7 MB | ||
|
Digest:
sha256:2e7fb5bdc405536d27434effd1f794a585c1524dd10ec11e9488dc24f26f5797
Command: WORKDIR /opt/eventstore |
117 bytes | ||
|
Digest:
sha256:5ba3bf63fbf7f0778bf71cd9a116d12a33835566fe7212d19618195c02946cce
Command: RUN |3 RUNTIME=linux-x64 UID=1000 GID=1000 /bin/sh -c addgroup --gid ${GID} "eventstore" && adduser --disabled-password --gecos "" --ingroup "eventstore" --no-create-home --uid ${UID} "eventstore" # buildkit |
1.8 KB | ||
|
Digest:
sha256:abe47882c927368f59aef1fd675c57cb99015326fe1c37c669c56b9916edd552
Command: COPY /publish ./ # buildkit |
55.5 MB | ||
|
Digest:
sha256:14a6286f722c944675f92a565da76393a0a235b77baf515f42ab1861e477a2e0
Command: RUN |3 RUNTIME=linux-x64 UID=1000 GID=1000 /bin/sh -c mkdir -p /var/lib/eventstore && mkdir -p /var/log/eventstore && mkdir -p /etc/eventstore && chown -R eventstore:eventstore /var/lib/eventstore /var/log/eventstore /etc/eventstore # buildkit |
192 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: USER eventstore |
32 bytes | ||
|
Digest:
sha256:40e3153299bb4e54d592d6da6ce2941e18dfd812cff4a436bb8fd61d00ffa75c
Command: RUN |3 RUNTIME=linux-x64 UID=1000 GID=1000 /bin/sh -c printf "NodeIp: 0.0.0.0\nReplicationIp: 0.0.0.0" >> /etc/eventstore/eventstore.conf # buildkit |
191 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: VOLUME [/var/lib/eventstore /var/log/eventstore] |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: EXPOSE map[1112/tcp:{} 1113/tcp:{} 2113/tcp:{}] |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: HEALTHCHECK &{["CMD-SHELL" "curl --fail --insecure https://localhost:2113/health/live || curl --fail http://localhost:2113/health/live || exit 1"] "5s" "5s" "0s" "0s" '\x18'} |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ENTRYPOINT ["/opt/eventstore/EventStore.ClusterNode"] |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: USER root |
32 bytes | ||
|
Digest:
sha256:a8f97d2049ab10c48dc1d85142394acf8efc05c73db3bd9959eb1d7ef7e61225
Command: RUN /bin/sh -c mkdir /data && chown eventstore:eventstore /data # buildkit |
97 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: USER eventstore |
32 bytes | ||
|
Digest:
sha256:208412cdeb369000d3a3b149fd8c9458db9e6321473ef304f2fda01566289d42
Command: RUN /bin/sh -c ln -s /var/lib/eventstore /data/integration-tests # buildkit |
150 bytes | ||
|
Digest:
sha256:0629a32a94e2df28ad13027278aab260dcd7bd0ef90248d057ae48fb463508c5
Command: COPY dataset20MB/* /var/lib/eventstore/ # buildkit |
6.1 MB |
Last scanned
2 years, 4 months ago
Scan result
Vulnerable
Vulnerability count
56
Max. severity
High| Target: | . (ubuntu 22.04) | |
| MEDIUM |
CVE-2023-46218: curl: information disclosure by exploiting a mixed case flawThis flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.Package Name: curl Installed Version: 7.81.0-1ubuntu1.14 Fixed Version: 7.81.0-1ubuntu1.15 References: access.redhat.com curl.se cve.mitre.org hackerone.com lists.debian.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.netapp.com ubuntu.com www.cve.org www.debian.org |
|
| MEDIUM |
CVE-2023-5156: glibc: DoS due to memory leak in getaddrinfo.cA flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.Package Name: libc-bin Installed Version: 2.35-0ubuntu3.4 Fixed Version: 2.35-0ubuntu3.5 References: www.openwall.com www.openwall.com www.openwall.com www.openwall.com access.redhat.com bugzilla.redhat.com cve.mitre.org nvd.nist.gov security.gentoo.org sourceware.org sourceware.org sourceware.org ubuntu.com ubuntu.com www.cve.org |
|
| MEDIUM |
CVE-2023-5156: glibc: DoS due to memory leak in getaddrinfo.cA flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.Package Name: libc6 Installed Version: 2.35-0ubuntu3.4 Fixed Version: 2.35-0ubuntu3.5 References: www.openwall.com www.openwall.com www.openwall.com www.openwall.com access.redhat.com bugzilla.redhat.com cve.mitre.org nvd.nist.gov security.gentoo.org sourceware.org sourceware.org sourceware.org ubuntu.com ubuntu.com www.cve.org |
|
| MEDIUM |
CVE-2023-46218: curl: information disclosure by exploiting a mixed case flawThis flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.Package Name: libcurl4 Installed Version: 7.81.0-1ubuntu1.14 Fixed Version: 7.81.0-1ubuntu1.15 References: access.redhat.com curl.se cve.mitre.org hackerone.com lists.debian.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.netapp.com ubuntu.com www.cve.org www.debian.org |
|
| MEDIUM |
CVE-2023-5981: gnutls: timing side-channel in the RSA-PSK authenticationA vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.Package Name: libgnutls30 Installed Version: 3.7.3-4ubuntu1.2 Fixed Version: 3.7.3-4ubuntu1.3 References: www.openwall.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org gnutls.org linux.oracle.com linux.oracle.com lists.fedoraproject.org lists.fedoraproject.org lists.gnupg.org nvd.nist.gov ubuntu.com ubuntu.com www.cve.org |
|
| MEDIUM |
CVE-2024-0553: gnutls: incomplete fix for CVE-2023-5981A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.Package Name: libgnutls30 Installed Version: 3.7.3-4ubuntu1.2 Fixed Version: 3.7.3-4ubuntu1.4 References: www.openwall.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org gitlab.com gnutls.org linux.oracle.com linux.oracle.com lists.fedoraproject.org lists.fedoraproject.org lists.gnupg.org nvd.nist.gov security.netapp.com ubuntu.com www.cve.org |
|
| MEDIUM |
CVE-2024-0567: gnutls: rejects certificate chain with distributed trustA vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.Package Name: libgnutls30 Installed Version: 3.7.3-4ubuntu1.2 Fixed Version: 3.7.3-4ubuntu1.4 References: www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org gitlab.com gnutls.org linux.oracle.com linux.oracle.com lists.fedoraproject.org lists.fedoraproject.org lists.gnupg.org nvd.nist.gov security.netapp.com ubuntu.com www.cve.org |
|
| MEDIUM |
CVE-2020-22916: Denial of service via decompression of crafted fileAn issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of "endless output" and "denial of service" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.Package Name: liblzma5 Installed Version: 5.2.5-2ubuntu1 Fixed Version: References: web.archive.org access.redhat.com bugzilla.redhat.com bugzilla.suse.com cve.mitre.org github.com github.com nvd.nist.gov security-tracker.debian.org tukaani.org www.cve.org |
|
| MEDIUM |
CVE-2024-22365: pam: allowing unpriledged user to block another user namespacelinux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.Package Name: libpam-modules Installed Version: 1.4.0-11ubuntu2.3 Fixed Version: 1.4.0-11ubuntu2.4 References: www.openwall.com access.redhat.com cve.mitre.org github.com github.com github.com nvd.nist.gov ubuntu.com www.cve.org www.openwall.com |
|
| MEDIUM |
CVE-2024-22365: pam: allowing unpriledged user to block another user namespacelinux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.Package Name: libpam-modules-bin Installed Version: 1.4.0-11ubuntu2.3 Fixed Version: 1.4.0-11ubuntu2.4 References: www.openwall.com access.redhat.com cve.mitre.org github.com github.com github.com nvd.nist.gov ubuntu.com www.cve.org www.openwall.com |
|
| MEDIUM |
CVE-2024-22365: pam: allowing unpriledged user to block another user namespacelinux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.Package Name: libpam-runtime Installed Version: 1.4.0-11ubuntu2.3 Fixed Version: 1.4.0-11ubuntu2.4 References: www.openwall.com access.redhat.com cve.mitre.org github.com github.com github.com nvd.nist.gov ubuntu.com www.cve.org www.openwall.com |
|
| MEDIUM |
CVE-2024-22365: pam: allowing unpriledged user to block another user namespacelinux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.Package Name: libpam0g Installed Version: 1.4.0-11ubuntu2.3 Fixed Version: 1.4.0-11ubuntu2.4 References: www.openwall.com access.redhat.com cve.mitre.org github.com github.com github.com nvd.nist.gov ubuntu.com www.cve.org www.openwall.com |
|
| MEDIUM |
CVE-2023-48795: ssh: Prefix truncation attack on Binary Packet Protocol (BPP)The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.Package Name: libssh-4 Installed Version: 0.9.6-2ubuntu0.22.04.1 Fixed Version: 0.9.6-2ubuntu0.22.04.2 References: packetstormsecurity.com www.openwall.com www.openwall.com www.openwall.com access.redhat.com access.redhat.com access.redhat.com arstechnica.com arstechnica.com bugs.gentoo.org bugzilla.redhat.com bugzilla.redhat.com bugzilla.suse.com crates.io cve.mitre.org errata.almalinux.org errata.rockylinux.org filezilla-project.org forum.netgate.com git.libssh.org github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com github.com gitlab.com go.dev go.dev groups.google.com groups.google.com help.panic.com help.panic.com jadaptive.com jadaptive.com linux.oracle.com linux.oracle.com lists.debian.org lists.debian.org lists.debian.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org matt.ucc.asn.au nest.pijul.com news.ycombinator.com news.ycombinator.com news.ycombinator.com nova.app nvd.nist.gov oryx-embedded.com psirt.global.sonicwall.com roumenpetrov.info security-tracker.debian.org security-tracker.debian.org security-tracker.debian.org security-tracker.debian.org security.gentoo.org security.gentoo.org security.netapp.com security.netapp.com terrapin-attack.com thorntech.com thorntech.com twitter.com ubuntu.com ubuntu.com ubuntu.com ubuntu.com ubuntu.com ubuntu.com ubuntu.com winscp.net www.bitvise.com www.bitvise.com www.chiark.greenend.org.uk www.crushftp.com www.cve.org www.debian.org www.debian.org www.freebsd.org www.lancom-systems.de www.netsarang.com www.netsarang.com www.openssh.com www.openssh.com www.openwall.com www.openwall.com www.openwall.com www.paramiko.org www.reddit.com www.reddit.com www.suse.com www.suse.com www.terrapin-attack.com www.theregister.com www.vandyke.com |
|
| MEDIUM |
CVE-2023-6004: libssh: ProxyCommand/ProxyJump features allow injection of malicious code through hostnameA flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into the command of the features mentioned through the hostname parameter.Package Name: libssh-4 Installed Version: 0.9.6-2ubuntu0.22.04.1 Fixed Version: 0.9.6-2ubuntu0.22.04.3 References: access.redhat.com bugzilla.redhat.com cve.mitre.org lists.fedoraproject.org nvd.nist.gov ubuntu.com ubuntu.com vin01.github.io www.cve.org www.libssh.org |
|
| MEDIUM |
CVE-2023-6918: libssh: Missing checks for return values for digestsA flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.Package Name: libssh-4 Installed Version: 0.9.6-2ubuntu0.22.04.1 Fixed Version: 0.9.6-2ubuntu0.22.04.3 References: access.redhat.com bugzilla.redhat.com cve.mitre.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov ubuntu.com ubuntu.com www.cve.org www.libssh.org www.libssh.org |
|
| MEDIUM |
CVE-2023-47038: perl: Write past buffer end via illegal user-defined Unicode propertyA vulnerability was found in perl. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.Package Name: perl-base Installed Version: 5.34.0-3ubuntu1.2 Fixed Version: 5.34.0-3ubuntu1.3 References: access.redhat.com bugs.debian.org bugzilla.redhat.com cve.mitre.org lists.fedoraproject.org nvd.nist.gov ubuntu.com www.cve.org |
|
| MEDIUM |
CVE-2023-39804: tar: Incorrectly handled extension attributes in PAX archives can lead to a crashA flaw was found in tar. This issue occurs when extended attributes are processed in PAX archives, and could allow an attacker to cause an application crash, resulting in a denial of service.Package Name: tar Installed Version: 1.34+dfsg-1ubuntu0.1.22.04.1 Fixed Version: 1.34+dfsg-1ubuntu0.1.22.04.2 References: access.redhat.com cve.mitre.org git.savannah.gnu.org nvd.nist.gov ubuntu.com www.cve.org |
|
| LOW |
CVE-2022-3715: a heap-buffer-overflow in valid_parameter_transformA flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.Package Name: bash Installed Version: 5.1-6ubuntu1 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org linux.oracle.com linux.oracle.com lists.gnu.org nvd.nist.gov www.cve.org |
|
| LOW |
CVE-2016-2781: coreutils: Non-privileged session can escape to the parent session in chrootchroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.Package Name: coreutils Installed Version: 8.32-4.1ubuntu1 Fixed Version: References: seclists.org www.openwall.com www.openwall.com access.redhat.com cve.mitre.org lists.apache.org lore.kernel.org nvd.nist.gov www.cve.org |
|
| LOW |
CVE-2022-27943: libiberty/rust-demangle.c in GNU GCC 11.2 allows stack exhaustion in demangle_constlibiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.Package Name: gcc-12-base Installed Version: 12.3.0-1ubuntu1~22.04 Fixed Version: References: access.redhat.com cve.mitre.org gcc.gnu.org gcc.gnu.org gcc.gnu.org gcc.gnu.org gcc.gnu.org lists.fedoraproject.org nvd.nist.gov sourceware.org www.cve.org |
|
| LOW |
CVE-2022-3219: denial of service issue (resource consumption) using compressed packetsGnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.Package Name: gpgv Installed Version: 2.2.27-3ubuntu2.1 Fixed Version: References: access.redhat.com bugzilla.redhat.com cve.mitre.org dev.gnupg.org dev.gnupg.org marc.info nvd.nist.gov security.netapp.com www.cve.org |
|
| LOW |
CVE-2016-20013sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.Package Name: libc-bin Installed Version: 2.35-0ubuntu3.4 Fixed Version: References: akkadia.org cve.mitre.org pthree.org twitter.com |
|
| LOW |
CVE-2023-4806: glibc: potential use-after-free in getaddrinfo()A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.Package Name: libc-bin Installed Version: 2.35-0ubuntu3.4 Fixed Version: 2.35-0ubuntu3.5 References: www.openwall.com www.openwall.com www.openwall.com www.openwall.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org linux.oracle.com linux.oracle.com lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.gentoo.org security.netapp.com ubuntu.com ubuntu.com www.cve.org |
|
| LOW |
CVE-2023-4813: glibc: potential use-after-free in gaih_inet()A flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.Package Name: libc-bin Installed Version: 2.35-0ubuntu3.4 Fixed Version: 2.35-0ubuntu3.5 References: www.openwall.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org linux.oracle.com linux.oracle.com nvd.nist.gov security.netapp.com ubuntu.com ubuntu.com www.cve.org |
|
| LOW |
CVE-2016-20013sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.Package Name: libc6 Installed Version: 2.35-0ubuntu3.4 Fixed Version: References: akkadia.org cve.mitre.org pthree.org twitter.com |
|
| LOW |
CVE-2023-4806: glibc: potential use-after-free in getaddrinfo()A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.Package Name: libc6 Installed Version: 2.35-0ubuntu3.4 Fixed Version: 2.35-0ubuntu3.5 References: www.openwall.com www.openwall.com www.openwall.com www.openwall.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org linux.oracle.com linux.oracle.com lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.gentoo.org security.netapp.com ubuntu.com ubuntu.com www.cve.org |
|
| LOW |
CVE-2023-4813: glibc: potential use-after-free in gaih_inet()A flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.Package Name: libc6 Installed Version: 2.35-0ubuntu3.4 Fixed Version: 2.35-0ubuntu3.5 References: www.openwall.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org linux.oracle.com linux.oracle.com nvd.nist.gov security.netapp.com ubuntu.com ubuntu.com www.cve.org |
|
| LOW |
CVE-2022-27943: libiberty/rust-demangle.c in GNU GCC 11.2 allows stack exhaustion in demangle_constlibiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.Package Name: libgcc-s1 Installed Version: 12.3.0-1ubuntu1~22.04 Fixed Version: References: access.redhat.com cve.mitre.org gcc.gnu.org gcc.gnu.org gcc.gnu.org gcc.gnu.org gcc.gnu.org lists.fedoraproject.org nvd.nist.gov sourceware.org www.cve.org |
|
| LOW |
CVE-2023-2953: null pointer dereference in ber_memalloc_x functionA vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.Package Name: libldap-2.5-0 Installed Version: 2.5.16+dfsg-0ubuntu0.22.04.1 Fixed Version: 2.5.16+dfsg-0ubuntu0.22.04.2 References: seclists.org seclists.org seclists.org access.redhat.com bugs.openldap.org cve.mitre.org nvd.nist.gov security.netapp.com support.apple.com support.apple.com support.apple.com ubuntu.com ubuntu.com www.cve.org |
|
| LOW |
CVE-2023-2953: null pointer dereference in ber_memalloc_x functionA vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.Package Name: libldap-common Installed Version: 2.5.16+dfsg-0ubuntu0.22.04.1 Fixed Version: 2.5.16+dfsg-0ubuntu0.22.04.2 References: seclists.org seclists.org seclists.org access.redhat.com bugs.openldap.org cve.mitre.org nvd.nist.gov security.netapp.com support.apple.com support.apple.com support.apple.com ubuntu.com ubuntu.com www.cve.org |
|
| LOW |
CVE-2023-50495: ncurses: segmentation fault via _nc_wrap_entry()NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().Package Name: libncurses6 Installed Version: 6.3-2ubuntu0.1 Fixed Version: References: access.redhat.com cve.mitre.org lists.fedoraproject.org lists.gnu.org lists.gnu.org nvd.nist.gov security.netapp.com www.cve.org |
|
| LOW |
CVE-2023-50495: ncurses: segmentation fault via _nc_wrap_entry()NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().Package Name: libncursesw6 Installed Version: 6.3-2ubuntu0.1 Fixed Version: References: access.redhat.com cve.mitre.org lists.fedoraproject.org lists.gnu.org lists.gnu.org nvd.nist.gov security.netapp.com www.cve.org |
|
| LOW |
CVE-2017-11164: OP_KETRMAX feature in the match function in pcre_exec.cIn PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.Package Name: libpcre3 Installed Version: 2:8.39-13ubuntu0.22.04.1 Fixed Version: References: openwall.com www.openwall.com www.openwall.com www.securityfocus.com access.redhat.com cve.mitre.org lists.apache.org nvd.nist.gov www.cve.org |
|
| LOW |
CVE-2023-5678: openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slowIssue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.Package Name: libssl3 Installed Version: 3.0.2-0ubuntu1.12 Fixed Version: 3.0.2-0ubuntu1.14 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org git.openssl.org git.openssl.org git.openssl.org git.openssl.org linux.oracle.com linux.oracle.com nvd.nist.gov security.netapp.com ubuntu.com ubuntu.com www.cve.org www.openssl.org |
|
| LOW |
CVE-2023-6129: openssl: POLY1305 MAC implementation corrupts vector registers on PowerPCIssue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. Impact summary: If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs restores the contents of vector registers in a different order than they are saved. Thus the contents of some of these vector registers are corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3. If this cipher is enabled on the server a malicious client can influence whether this AEAD cipher is used. This implies that TLS server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue.Package Name: libssl3 Installed Version: 3.0.2-0ubuntu1.12 Fixed Version: 3.0.2-0ubuntu1.14 References: access.redhat.com cve.mitre.org github.com github.com github.com nvd.nist.gov ubuntu.com www.cve.org www.openssl.org www.openwall.com |
|
| LOW |
CVE-2023-6237: openssl: Excessive time spent checking invalid RSA public keysA flaw was found in OpenSSL. When the EVP_PKEY_public_check() function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack.Package Name: libssl3 Installed Version: 3.0.2-0ubuntu1.12 Fixed Version: 3.0.2-0ubuntu1.14 References: access.redhat.com cve.mitre.org nvd.nist.gov ubuntu.com www.cve.org www.openssl.org www.openwall.com |
|
| LOW |
CVE-2024-0727: openssl: denial of service via null dereferenceIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.Package Name: libssl3 Installed Version: 3.0.2-0ubuntu1.12 Fixed Version: 3.0.2-0ubuntu1.14 References: access.redhat.com cve.mitre.org github.com github.com github.com github.com github.openssl.org github.openssl.org nvd.nist.gov security.netapp.com ubuntu.com ubuntu.com www.cve.org www.openssl.org |
|
| LOW |
CVE-2022-27943: libiberty/rust-demangle.c in GNU GCC 11.2 allows stack exhaustion in demangle_constlibiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.Package Name: libstdc++6 Installed Version: 12.3.0-1ubuntu1~22.04 Fixed Version: References: access.redhat.com cve.mitre.org gcc.gnu.org gcc.gnu.org gcc.gnu.org gcc.gnu.org gcc.gnu.org lists.fedoraproject.org nvd.nist.gov sourceware.org www.cve.org |
|
| LOW |
CVE-2023-7008: systemd-resolved: Unsigned name response in signed zone is not refused when DNSSEC=yesA vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.Package Name: libsystemd0 Installed Version: 249.11-0ubuntu3.11 Fixed Version: References: access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org github.com lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov www.cve.org |
|
| LOW |
CVE-2023-50495: ncurses: segmentation fault via _nc_wrap_entry()NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().Package Name: libtinfo6 Installed Version: 6.3-2ubuntu0.1 Fixed Version: References: access.redhat.com cve.mitre.org lists.fedoraproject.org lists.gnu.org lists.gnu.org nvd.nist.gov security.netapp.com www.cve.org |
|
| LOW |
CVE-2023-7008: systemd-resolved: Unsigned name response in signed zone is not refused when DNSSEC=yesA vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.Package Name: libudev1 Installed Version: 249.11-0ubuntu3.11 Fixed Version: References: access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org github.com lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov www.cve.org |
|
| LOW |
CVE-2022-4899: zstd: mysql: buffer overrun in util.cA vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.Package Name: libzstd1 Installed Version: 1.4.8+dfsg-3build1 Fixed Version: References: access.redhat.com cve.mitre.org github.com github.com github.com github.com github.com lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.netapp.com www.cve.org |
|
| LOW |
CVE-2023-29383: Improper input validation in shadow-utils package utility chfnIn Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.Package Name: login Installed Version: 1:4.8.1-2ubuntu2.1 Fixed Version: References: access.redhat.com cve.mitre.org github.com github.com nvd.nist.gov www.cve.org www.trustwave.com www.trustwave.com |
|
| LOW |
CVE-2023-4641: shadow-utils: possible password leak during passwd(1) changeA flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.Package Name: login Installed Version: 1:4.8.1-2ubuntu2.1 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org linux.oracle.com linux.oracle.com nvd.nist.gov www.cve.org |
|
| LOW |
CVE-2023-50495: ncurses: segmentation fault via _nc_wrap_entry()NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().Package Name: ncurses-base Installed Version: 6.3-2ubuntu0.1 Fixed Version: References: access.redhat.com cve.mitre.org lists.fedoraproject.org lists.gnu.org lists.gnu.org nvd.nist.gov security.netapp.com www.cve.org |
|
| LOW |
CVE-2023-50495: ncurses: segmentation fault via _nc_wrap_entry()NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().Package Name: ncurses-bin Installed Version: 6.3-2ubuntu0.1 Fixed Version: References: access.redhat.com cve.mitre.org lists.fedoraproject.org lists.gnu.org lists.gnu.org nvd.nist.gov security.netapp.com www.cve.org |
|
| LOW |
CVE-2023-5678: openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slowIssue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.Package Name: openssl Installed Version: 3.0.2-0ubuntu1.12 Fixed Version: 3.0.2-0ubuntu1.14 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org git.openssl.org git.openssl.org git.openssl.org git.openssl.org linux.oracle.com linux.oracle.com nvd.nist.gov security.netapp.com ubuntu.com ubuntu.com www.cve.org www.openssl.org |
|
| LOW |
CVE-2023-6129: openssl: POLY1305 MAC implementation corrupts vector registers on PowerPCIssue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. Impact summary: If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs restores the contents of vector registers in a different order than they are saved. Thus the contents of some of these vector registers are corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3. If this cipher is enabled on the server a malicious client can influence whether this AEAD cipher is used. This implies that TLS server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue.Package Name: openssl Installed Version: 3.0.2-0ubuntu1.12 Fixed Version: 3.0.2-0ubuntu1.14 References: access.redhat.com cve.mitre.org github.com github.com github.com nvd.nist.gov ubuntu.com www.cve.org www.openssl.org www.openwall.com |
|
| LOW |
CVE-2023-6237: openssl: Excessive time spent checking invalid RSA public keysA flaw was found in OpenSSL. When the EVP_PKEY_public_check() function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack.Package Name: openssl Installed Version: 3.0.2-0ubuntu1.12 Fixed Version: 3.0.2-0ubuntu1.14 References: access.redhat.com cve.mitre.org nvd.nist.gov ubuntu.com www.cve.org www.openssl.org www.openwall.com |
|
| LOW |
CVE-2024-0727: openssl: denial of service via null dereferenceIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.Package Name: openssl Installed Version: 3.0.2-0ubuntu1.12 Fixed Version: 3.0.2-0ubuntu1.14 References: access.redhat.com cve.mitre.org github.com github.com github.com github.com github.openssl.org github.openssl.org nvd.nist.gov security.netapp.com ubuntu.com ubuntu.com www.cve.org www.openssl.org |
|
| LOW |
CVE-2023-29383: Improper input validation in shadow-utils package utility chfnIn Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.Package Name: passwd Installed Version: 1:4.8.1-2ubuntu2.1 Fixed Version: References: access.redhat.com cve.mitre.org github.com github.com nvd.nist.gov www.cve.org www.trustwave.com www.trustwave.com |
|
| LOW |
CVE-2023-4641: shadow-utils: possible password leak during passwd(1) changeA flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.Package Name: passwd Installed Version: 1:4.8.1-2ubuntu2.1 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org linux.oracle.com linux.oracle.com nvd.nist.gov www.cve.org |
|
| LOW |
CVE-2022-48522: perl: stack-based crash in S_find_uninit_var()In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.Package Name: perl-base Installed Version: 5.34.0-3ubuntu1.2 Fixed Version: 5.34.0-3ubuntu1.3 References: access.redhat.com cve.mitre.org github.com github.com github.com nvd.nist.gov security.netapp.com ubuntu.com www.cve.org |
|
| Target: | opt/eventstore/EventStore.ClusterNode.deps.json | |
| HIGH |
CVE-2019-0980: dotnet: infinite loop in Uri.TryCreate leading to ASP.Net Core Denial of ServiceA denial of service vulnerability exists when .NET Framework or .NET Core improperly handle web requests, aka '.Net Framework and .Net Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0820, CVE-2019-0981.Package Name: System.Private.Uri Installed Version: 4.3.0 Fixed Version: 4.3.2 References: access.redhat.com access.redhat.com github.com github.com linux.oracle.com linux.oracle.com nvd.nist.gov portal.msrc.microsoft.com portal.msrc.microsoft.com www.cve.org |
|
| HIGH |
CVE-2019-0981: dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core Denial of ServiceA denial of service vulnerability exists when .NET Framework or .NET Core improperly handle web requests, aka '.Net Framework and .Net Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0820, CVE-2019-0980.Package Name: System.Private.Uri Installed Version: 4.3.0 Fixed Version: 4.3.2 References: access.redhat.com access.redhat.com github.com github.com linux.oracle.com linux.oracle.com nvd.nist.gov portal.msrc.microsoft.com www.cve.org |
|
| MEDIUM |
CVE-2019-0657: dotnet: Domain-spoofing attack in System.UriA vulnerability exists in certain .Net Framework API's and Visual Studio in the way they parse URL's, aka '.NET Framework and Visual Studio Spoofing Vulnerability'.Package Name: System.Private.Uri Installed Version: 4.3.0 Fixed Version: 4.3.2 References: www.securityfocus.com access.redhat.com access.redhat.com github.com github.com nvd.nist.gov portal.msrc.microsoft.com www.cve.org |
|
Package statistics are no longer available on cloudsmith.io. Please visit our new web app to access this feature.
You can embed a badge in another website that shows this or the latest version of this package.
To embed the badge for this specific package version, use the following:
[](https://cloudsmith.io/~eventstore/repos/eventstore-utils/packages/detail/docker/testdata/2d7f9ecd9ebadf2534f1eff0f3eafe4530e877dbdc2659e5050927bc489d7390/a=amd64;xpo=linux/)|This version of 'testdata' @ Cloudsmith|
.. |This version of 'testdata' @ Cloudsmith| image:: https://api.cloudsmith.com/v1/badges/version/eventstore/eventstore-utils/docker/testdata/24.2.0.0-nightly-focal/a=amd64;xpo=linux/?render=true
:target: https://cloudsmith.io/~eventstore/repos/eventstore-utils/packages/detail/docker/testdata/2d7f9ecd9ebadf2534f1eff0f3eafe4530e877dbdc2659e5050927bc489d7390/a=amd64;xpo=linux/image::https://api.cloudsmith.com/v1/badges/version/eventstore/eventstore-utils/docker/testdata/24.2.0.0-nightly-focal/a=amd64;xpo=linux/?render=true[link="https://cloudsmith.io/~eventstore/repos/eventstore-utils/packages/detail/docker/testdata/2d7f9ecd9ebadf2534f1eff0f3eafe4530e877dbdc2659e5050927bc489d7390/a=amd64;xpo=linux/",title="This version of 'testdata' @ Cloudsmith"]<a href="https://cloudsmith.io/~eventstore/repos/eventstore-utils/packages/detail/docker/testdata/2d7f9ecd9ebadf2534f1eff0f3eafe4530e877dbdc2659e5050927bc489d7390/a=amd64;xpo=linux/"><img src="https://api.cloudsmith.com/v1/badges/version/eventstore/eventstore-utils/docker/testdata/24.2.0.0-nightly-focal/a=amd64;xpo=linux/?render=true" alt="This version of 'testdata' @ Cloudsmith" /></a>rendered as:
To embed the badge for the latest package version, use the following:
[](https://cloudsmith.io/~eventstore/repos/eventstore-utils/packages/detail/docker/testdata/latest/a=amd64;xpo=linux/)|Latest version of 'testdata' @ Cloudsmith|
.. |Latest version of 'testdata' @ Cloudsmith| image:: https://api.cloudsmith.com/v1/badges/version/eventstore/eventstore-utils/docker/testdata/latest/a=amd64;xpo=linux/?render=true&show_latest=true
:target: https://cloudsmith.io/~eventstore/repos/eventstore-utils/packages/detail/docker/testdata/latest/a=amd64;xpo=linux/image::https://api.cloudsmith.com/v1/badges/version/eventstore/eventstore-utils/docker/testdata/latest/a=amd64;xpo=linux/?render=true&show_latest=true[link="https://cloudsmith.io/~eventstore/repos/eventstore-utils/packages/detail/docker/testdata/latest/a=amd64;xpo=linux/",title="Latest version of 'testdata' @ Cloudsmith"]<a href="https://cloudsmith.io/~eventstore/repos/eventstore-utils/packages/detail/docker/testdata/latest/a=amd64;xpo=linux/"><img src="https://api.cloudsmith.com/v1/badges/version/eventstore/eventstore-utils/docker/testdata/latest/a=amd64;xpo=linux/?render=true&show_latest=true" alt="Latest version of 'testdata' @ Cloudsmith" /></a>rendered as:
These instructions assume you have setup the repository first (or read it).
To pull testdata @ reference/tag 24.2.0.0-nightly-focal:
docker pull docker.eventstore.com/eventstore-utils/testdata:24.2.0.0-nightly-focalYou can also pull the latest version of this image (if it exists):
docker pull docker.eventstore.com/eventstore-utils/testdata:latestTo refer to this image after pulling in a Dockerfile, specify the following:
FROM docker.eventstore.com/eventstore-utils/testdata:24.2.0.0-nightly-focalNote: You should replace 24.2.0.0-nightly-focal with an alternative reference to pull, such as: ci.
Next Version
