Cloudsmith - Repositories - Kurrent (eventstore) - kurrent-latest (kurrent-latest) - kurrentdb

Package Search Help

You can use boolean logic (e.g. AND/OR/NOT) for complex search queries. For more help and examples, see the search documentation.

Search by package name:
my-package _(implicit)
name:my-package _(explicit)

Search by package filename:
filename:my-package.ext

Search by package tag:
tag:latest

Search by package version:
version:1.0.0 prerelease:true _{(prereleases)}
prerelease:false _{(no prereleases)}

Search by package architecture:
architecture:x86_64

Search by package distribution:
distribution:el

Search by package license:
license:MIT

Search by package format:
format:deb

Search by package status:
status:in_progress

Search by package file checksum:
checksum:5afba

Search by package security status:
severity:critical

Search by package vulnerabilities:
vulnerabilities:>1
vulnerabilities:<1000

Search by # of package downloads:
downloads:>8
downloads:<100

Search by package type:
type:binary
type:source

Search by package size (bytes):
size:>50000
size:<10000

Search by dependency name/version:
dependency:log4j
dependency:log4j=1.0.0
dependency:log4j>1.0.0

Search by uploaded date:
uploaded:>"1 day ago"
uploaded:<"August 14, 2022 EST"

Search by entitlement token (identifier):
entitlement:3lKPVJPosCsY

Search by policy violation:
policy_violated:true
deny_policy_violated:true
license_policy_violated:true
vulnerability_policy_violated:true

Search by repository:
repository:repo-name

Search by last download date:
last_downloaded:<"30 days ago"
last_downloaded:>"August 14, 2022 EST"

Search queries for all Debian-specific (and related) package types

Search by component:
deb_component:unstable

Search queries for all Maven-specific (and related) package types

Search by group ID:
maven_group_id:org.apache

Search queries for all Docker-specific (and related) package types

Search by image digest:
docker_image_digest:sha256:7c5..6d4
(full hashref only)

Search by layer digest:
docker_layer_digest:sha256:4c4..ae4
(full hashref only)

Search queries for all Generic-specific package types

Search by file path:
generic_filepath:path/to/file.txt

Search by directory:
generic_directory:path/to

Field type modifiers (depending on the type, you can influence behaviour)

For all queries, you can use:
~foo for negation

For string queries, you can use:
^foo to anchor to start of term
foo$ to anchor to end of term
foo*bar for fuzzy matching

For number/date or version queries, you can use:
>foo for values greater than
>=foo for values greater / equal
<foo for values less than
<=foo for values less / equal

Need a secure and centralised artifact repository to deliver Alpine, Cargo, CocoaPods, Composer, Conan, Conda, CRAN, Dart, Debian, Docker, Generic, Go, Helm, Hex, HuggingFace, LuaRocks, Maven, MCP, npm, NuGet, P2, Python, RedHat, Ruby, Swift, Terraform, Vagrant, VSX, Raw & More packages?

Cloudsmith is the new standard in Package / Artifact Management and Software Distribution.

With support for all major package formats, you can trust us to manage your software supply chain.

Start My Free Trial

Set Me Up

Public — eventstore (Kurrent) / kurrent-latest

A certifiably-awesome public package repository curated by Kurrent, hosted by Cloudsmith.

kurrentdb 26.1

Download

One-liner (summary)

A certifiably-awesome package curated by trainstation, hosted by Cloudsmith.

Description

A certifiably-awesome package curated by trainstation, hosted by Cloudsmith.

License

Unknown

Size

242.1 MB

Downloads

653

Tags

image amd64 linux 26.1.0-x64-10.0-nob… b5e1563a-6a74-4754-… 26.1.0 latest

Status	Completed
Checksum (MD5)	9bdcdaa564506c224fd2920c1d82f5a9
Checksum (SHA-1)	a7960365518673165e32482f6eefb2ee28aec805
Checksum (SHA-256)	2faf9a47e8986b5cb3177456cf8d09976d1ebd750ce2bb8e8c158ec4e61fac4f
Checksum (SHA-512)	ed0c18dbbbfc14dd047baa8644f28e35fea769ad63ac4a2693c9bba9427997dcb2…
GPG Signature	Download
GPG Fingerprint	02a89004460aa252035d6b7d094442d90ad50bcd
Storage Region	Dublin, Ireland
Type	Binary (contains binaries and binary artifacts)
Uploaded At	1 month, 2 weeks ago
Uploaded By
Slug Id	kurrentdb-4kuf
Unique Id	wQMzUCXzafCr
Version (Raw)	26.1
Version (Parsed)	Major: 26 Minor: 1 Type: SemVer (Compat)
Orig Version (Raw)	2faf9a47e8986b5cb3177456cf8d09976d1ebd750ce2bb8e8c158ec4e61fac4f
Orig Version (Parsed)	Type: Unknown
	docker-specific metadata
Image Digest	sha256:2faf9a47e8986b5cb3177456cf8d09976d1ebd750ce2bb8e8c158ec4e61fac4f
Config Digest	sha256:b944867c2111548777eff296045d8c9a4ac2819870a408e4a936db4f32d546e9
V1 OCI Index Digest	sha256:dcc2da3515027b5b9b65ec20583fc70d356e453500b7e6c01d4f9ebba5e95cc5
V1 Distribution (Signed) Digest	sha256:08253510be962844f6a60ceab73c29fb95db880dba9ce3910282717830bd02f1
V1 OCI Digest	sha256:81bd689f98192889f0900ce9f246189256cc5747fbe16030dcb5b3ff87030131
V2 Distribution List Digest	sha256:176e9eb4f3bb6c248680c1bdf9d73c6d7eb4b768ada345b9f6e37b0004f0cab7
V1 Distribution Digest	sha256:46c7f44f3a1fcef5efb666a5cd4092637a67835902f645cc0c721ecf42be459c
V2 Distribution Digest	sha256:2faf9a47e8986b5cb3177456cf8d09976d1ebd750ce2bb8e8c158ec4e61fac4f
	extended metadata
Manifest Type	V2 Distribution
Architecture	amd64
Config	Entrypoint /opt/kurrentdb/kurrentd Env ACCEPT_EULA=Y \| APP_UID=1654 \| ASPNETCORE_HTTP_PORTS=8080 \| DEBIAN_FRONTEND=noninteractive \| DOTNET_RUNNING_IN_CONTAINER=true \| LANGUAGE=en_US:en \| PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin Exposed Ports 1112/tcp \| 1113/tcp \| 2113/tcp Healthcheck Interval 5000000000 Retries 24 Test CMD-SHELL \| curl --fail --insecure https://localhost:2113/health/live \|\| curl --fail http://localhost:2113/health/live \|\| exit 1 Timeout 5000000000 Labels 'org.opencontainers.image.version' '24.04' User kurrent Volumes /var/lib/kurrentdb \| /var/log/kurrentdb Working Dir /opt/kurrentdb
Created	2026-04-29 15:21:06 UTC
Os	linux

This package was uploaded with the following V2 Distribution manifest:

{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "config": {
      "mediaType": "application/vnd.docker.container.image.v1+json",
      "size": 6951,
      "digest": "sha256:9c1d2e9a35a194c9b6bc8577a577f8229b6b35f5358cdb6e410fe99d617b0518"
   },
   "layers": [
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 30599957,
         "digest": "sha256:2f7571f14c6ff1d57c690bd1924fd1e125936eb144dc51eb20b4172776a5c743"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 16819795,
         "digest": "sha256:33919016b1bbea02a7f751a9ca5f6b31f1dffd1f5f0134f44b29d8bb4fbc33a6"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 3559,
         "digest": "sha256:27640c99102cbc65ab781f867595024e751151897ed80eab17cc75adb22bb3c2"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 42824398,
         "digest": "sha256:ec8e811f5c0f6e84531b2c5dc924d2d40c52ef9cdaf66e94a8010b9cf7f7297c"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 2755729,
         "digest": "sha256:6fae181b0820505b507bb01b4ac878c16e281ae09405949e2266275ff523acc1"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 1328,
         "digest": "sha256:f9fe34c62752a8b792c87b656fcc387592202c54470d61a853c4646150ffc9db"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 160870245,
         "digest": "sha256:8d706def5454dcb853e01c9533ab19c0457aecb3f3c03daf7cc2ce16e64fa798"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 32,
         "digest": "sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 191,
         "digest": "sha256:ec4c4127e9232d71ed333da6a086b45788db086654cc396a6c1e43b312304e0e"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 191,
         "digest": "sha256:8ee8feefc6cc7315dcc060fe3c6c96893938d0d527c1443d8c16a80f1883e691"
      }
   ]
}

	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: /bin/sh -c #(nop) ARG RELEASE	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: /bin/sh -c #(nop) ARG LAUNCHPAD_BUILD_ARCH	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: /bin/sh -c #(nop) LABEL org.opencontainers.image.version=24.04	32 bytes
	Digest: sha256:2f7571f14c6ff1d57c690bd1924fd1e125936eb144dc51eb20b4172776a5c743 Command: /bin/sh -c #(nop) ADD file:8ce1caf246e7c778bca84c516d02fd4e83766bb2c530a0fffa8a351b560a2728 in /	29.2 MB
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: /bin/sh -c #(nop) CMD ["/bin/bash"]	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENV APP_UID=1654 ASPNETCORE_HTTP_PORTS=8080 DOTNET_RUNNING_IN_CONTAINER=true	32 bytes
	Digest: sha256:33919016b1bbea02a7f751a9ca5f6b31f1dffd1f5f0134f44b29d8bb4fbc33a6 Command: RUN /bin/sh -c apt-get update && apt-get install -y --no-install-recommends ca-certificates libc6 libgcc-s1 libicu74 libssl3t64 libstdc++6 tzdata tzdata-legacy && rm -rf /var/lib/apt/lists/* # buildkit	16.0 MB
	Digest: sha256:27640c99102cbc65ab781f867595024e751151897ed80eab17cc75adb22bb3c2 Command: RUN /bin/sh -c groupadd --gid=$APP_UID app && useradd --no-log-init --uid=$APP_UID --gid=$APP_UID --create-home app # buildkit	3.5 KB
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ARG DATABASE_ARCHIVE_DIR=kurrentdb-26.1.0-linux-x64.tar.gz	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ARG UID=1001	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ARG GID=1001	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENV LANGUAGE=en_US:en DEBIAN_FRONTEND=noninteractive ACCEPT_EULA=Y	32 bytes
	Digest: sha256:ec8e811f5c0f6e84531b2c5dc924d2d40c52ef9cdaf66e94a8010b9cf7f7297c Command: RUN \|3 DATABASE_ARCHIVE_DIR=kurrentdb-26.1.0-linux-x64.tar.gz UID=1001 GID=1001 /bin/sh -c apt-get update && apt-get upgrade -y && apt-get clean # buildkit	40.8 MB
	Digest: sha256:6fae181b0820505b507bb01b4ac878c16e281ae09405949e2266275ff523acc1 Command: RUN \|3 DATABASE_ARCHIVE_DIR=kurrentdb-26.1.0-linux-x64.tar.gz UID=1001 GID=1001 /bin/sh -c apt update && apt install -y adduser curl && rm -rf /var/lib/apt/lists/* # buildkit	2.6 MB
	Digest: sha256:f9fe34c62752a8b792c87b656fcc387592202c54470d61a853c4646150ffc9db Command: RUN \|3 DATABASE_ARCHIVE_DIR=kurrentdb-26.1.0-linux-x64.tar.gz UID=1001 GID=1001 /bin/sh -c addgroup --gid ${GID} "kurrent" && adduser --disabled-password --gecos "" --ingroup "kurrent" --no-create-home --uid ${UID} "kurrent" # buildkit	1.3 KB
	Digest: sha256:8d706def5454dcb853e01c9533ab19c0457aecb3f3c03daf7cc2ce16e64fa798 Command: COPY --chown=kurrent:kurrent kurrentdb-26.1.0-linux-x64.tar.gz /opt/kurrentdb/ # buildkit	153.4 MB
	Digest: sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1 Command: WORKDIR /opt/kurrentdb	32 bytes
	Digest: sha256:ec4c4127e9232d71ed333da6a086b45788db086654cc396a6c1e43b312304e0e Command: RUN \|3 DATABASE_ARCHIVE_DIR=kurrentdb-26.1.0-linux-x64.tar.gz UID=1001 GID=1001 /bin/sh -c mkdir -p /var/lib/kurrentdb && mkdir -p /var/log/kurrentdb && mkdir -p /etc/kurrentdb && chown -R kurrent:kurrent /var/lib/kurrentdb /var/log/kurrentdb /etc/kurrentdb # buildkit	191 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: USER kurrent	32 bytes
	Digest: sha256:8ee8feefc6cc7315dcc060fe3c6c96893938d0d527c1443d8c16a80f1883e691 Command: RUN \|3 DATABASE_ARCHIVE_DIR=kurrentdb-26.1.0-linux-x64.tar.gz UID=1001 GID=1001 /bin/sh -c echo "NodeIp: 0.0.0.0\nReplicationIp: 0.0.0.0" >> /etc/kurrentdb/kurrentdb.conf # buildkit	191 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: VOLUME [/var/lib/kurrentdb]	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: VOLUME [/var/log/kurrentdb]	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: EXPOSE map[1112/tcp:{}]	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: EXPOSE map[1113/tcp:{}]	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: EXPOSE map[2113/tcp:{}]	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: HEALTHCHECK &{["CMD-SHELL" "curl --fail --insecure https://localhost:2113/health/live \|\| curl --fail http://localhost:2113/health/live \|\| exit 1"] "5s" "5s" "0s" "0s" '\x18'}	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENTRYPOINT ["/opt/kurrentdb/kurrentd"]	32 bytes

	kurrentdb 26.1	image amd64 linux 26.1.0-x64-10.0-nob… b5e1563a-6a74-4754-… 26.1.0 latest 242.1 MB — 1 month, 2 weeks ago	653
Older	kurrentdb 26.0.3	image amd64 linux 26.0.3-x64-10.0-nob… fdffabc6-7137-4d96-… 26.0 lts 241.4 MB — 1 month ago	154
Older	kurrentdb 26.0.2	image amd64 linux 26.0.2-x64-10.0-nob… e6324a21-f867-4941-… 238.3 MB — 3 months ago	30950
Older	kurrentdb 26.0.1	image amd64 linux 26.0.1-x64-10.0-nob… ff541ec3-69d4-47d1-… 245.6 MB — 4 months, 1 week ago	17212
Older	kurrentdb 26.0.0	image amd64 linux 26.0.0-x64-10.0-nob… 048218d3-0542-472c-… 236.9 MB — 5 months ago	5513
Older	kurrentdb 25.1.4	image amd64 linux 25.1.4-x64-8.0-jammy 7f654902-d1ca-4426-… 25.1 369.5 MB — 3 months, 3 weeks ago	5116
Older	kurrentdb 25.1.4-x64-8.0-bookworm-slim	image amd64 linux b000e3ca-fae4-450b-… 338.1 MB — 3 months, 3 weeks ago	8
Older	kurrentdb 25.1.3	image amd64 linux 25.1.3-x64-8.0-jammy c531ca8e-161c-4beb-… 376.1 MB — 4 months, 1 week ago	769
Older	kurrentdb 25.1.3-x64-8.0-bookworm-slim	image amd64 linux 09c3bbb3-1ce3-417b-… 337.0 MB — 4 months, 1 week ago	7
Older	kurrentdb 25.1.1	image amd64 linux 25.1.1-x64-8.0-jammy eb074e71-9c9d-4dc1-… 365.0 MB — 6 months, 4 weeks ago	13731
Older	kurrentdb 25.1.1-x64-8.0-bookworm-slim	image amd64 linux e57bc875-f1ce-483e-… 335.2 MB — 6 months, 4 weeks ago	10
Older	kurrentdb 25.1.0	image amd64 linux 25.1.0-x64-8.0-jammy 64565ee6-7682-4567-… 364.3 MB — 8 months ago	4430
Older	kurrentdb 25.1.0-x64-8.0-bookworm-slim	image amd64 linux 775f754f-ccc3-4379-… 335.1 MB — 8 months ago	469
Older	kurrentdb 25.0.1	image amd64 linux 25.0.1-x64-8.0-jammy 65fc4013-6f2b-434f-… 25.0 333.4 MB — 1 year ago	11045
Older	kurrentdb 25.0.1-x64-8.0-bookworm-slim	image amd64 linux fe0a2d9b-1158-4ead-… 313.2 MB — 1 year ago	468
Older	kurrentdb 25.0.0	image amd64 linux 25.0.0-x64-8.0-jammy 1f96d4a4-834d-490f-… 332.1 MB — 1 year, 2 months ago	4216
Older	kurrentdb 25.0.0-x64-8.0-bookworm-slim	image amd64 linux 5ede3b62-e3a8-4805-… 308.3 MB — 1 year, 2 months ago	606

Only packages within the same repository are displayed. The current package you're viewing is highlighted.

Last scanned

1 month, 2 weeks ago

Scan result

Vulnerable

Vulnerability count

Max. severity

Medium

Target:	wQMzUCXzafCr.sbom-cyclonedx.json (ubuntu 24.04)
MEDIUM	CVE-2026-27456: util-linux: TOCTOU in the mount program when setting up loop devices util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. Package Name: bsdutils Installed Version: 1:2.39.3-9ubuntu6.5 Fixed Version: References: access.redhat.com github.com github.com github.com nvd.nist.gov www.cve.org
MEDIUM	CVE-2026-2219: It was discovered that dpkg-deb (a component of dpkg, the Debian packa ... It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU). Package Name: dpkg Installed Version: 1.22.6ubuntu6.5 Fixed Version: References: bugs.debian.org git.dpkg.org www.cve.org
MEDIUM	CVE-2026-27456: util-linux: TOCTOU in the mount program when setting up loop devices util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. Package Name: libblkid1 Installed Version: 2.39.3-9ubuntu6.5 Fixed Version: References: access.redhat.com github.com github.com github.com nvd.nist.gov www.cve.org
MEDIUM	CVE-2026-4046: glibc: glibc: Denial of Service via iconv() function with specific character sets The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them. Package Name: libc-bin Installed Version: 2.39-0ubuntu8.7 Fixed Version: References: access.redhat.com inbox.sourceware.org nvd.nist.gov packages.fedoraproject.org sourceware.org sourceware.org sourceware.org www.cve.org
MEDIUM	CVE-2026-4437: glibc: glibc: Incorrect DNS response parsing via crafted DNS server response Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer. Package Name: libc-bin Installed Version: 2.39-0ubuntu8.7 Fixed Version: References: access.redhat.com nvd.nist.gov sourceware.org www.cve.org www.openwall.com
MEDIUM	CVE-2026-4438: glibc: glibc: Invalid DNS hostname returned via gethostbyaddr functions Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification. Package Name: libc-bin Installed Version: 2.39-0ubuntu8.7 Fixed Version: References: access.redhat.com nvd.nist.gov sourceware.org www.cve.org www.openwall.com
MEDIUM	CVE-2026-4046: glibc: glibc: Denial of Service via iconv() function with specific character sets The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them. Package Name: libc6 Installed Version: 2.39-0ubuntu8.7 Fixed Version: References: access.redhat.com inbox.sourceware.org nvd.nist.gov packages.fedoraproject.org sourceware.org sourceware.org sourceware.org www.cve.org
MEDIUM	CVE-2026-4437: glibc: glibc: Incorrect DNS response parsing via crafted DNS server response Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer. Package Name: libc6 Installed Version: 2.39-0ubuntu8.7 Fixed Version: References: access.redhat.com nvd.nist.gov sourceware.org www.cve.org www.openwall.com
MEDIUM	CVE-2026-4438: glibc: glibc: Invalid DNS hostname returned via gethostbyaddr functions Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification. Package Name: libc6 Installed Version: 2.39-0ubuntu8.7 Fixed Version: References: access.redhat.com nvd.nist.gov sourceware.org www.cve.org www.openwall.com
MEDIUM	CVE-2026-27456: util-linux: TOCTOU in the mount program when setting up loop devices util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. Package Name: libmount1 Installed Version: 2.39.3-9ubuntu6.5 Fixed Version: References: access.redhat.com github.com github.com github.com nvd.nist.gov www.cve.org
MEDIUM	CVE-2026-27456: util-linux: TOCTOU in the mount program when setting up loop devices util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. Package Name: libsmartcols1 Installed Version: 2.39.3-9ubuntu6.5 Fixed Version: References: access.redhat.com github.com github.com github.com nvd.nist.gov www.cve.org
MEDIUM	CVE-2026-27456: util-linux: TOCTOU in the mount program when setting up loop devices util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. Package Name: libuuid1 Installed Version: 2.39.3-9ubuntu6.5 Fixed Version: References: access.redhat.com github.com github.com github.com nvd.nist.gov www.cve.org
MEDIUM	CVE-2026-27456: util-linux: TOCTOU in the mount program when setting up loop devices util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. Package Name: mount Installed Version: 2.39.3-9ubuntu6.5 Fixed Version: References: access.redhat.com github.com github.com github.com nvd.nist.gov www.cve.org
MEDIUM	CVE-2025-45582: tar: Tar path traversal GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory. Package Name: tar Installed Version: 1.35+dfsg-3build1 Fixed Version: References: www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com linux.oracle.com linux.oracle.com lists.gnu.org nvd.nist.gov www.cve.org www.gnu.org www.gnu.org www.gnu.org www.gnu.org
MEDIUM	CVE-2026-5704: tar: tar: Hidden file injection via crafted archives A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection. Package Name: tar Installed Version: 1.35+dfsg-3build1 Fixed Version: References: www.openwall.com www.openwall.com www.openwall.com access.redhat.com bugzilla.redhat.com nvd.nist.gov www.cve.org
MEDIUM	CVE-2026-27456: util-linux: TOCTOU in the mount program when setting up loop devices util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. Package Name: util-linux Installed Version: 2.39.3-9ubuntu6.5 Fixed Version: References: access.redhat.com github.com github.com github.com nvd.nist.gov www.cve.org
LOW	CVE-2024-2236: libgcrypt: vulnerable to Marvin Attack A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts. Package Name: libgcrypt20 Installed Version: 1.10.3-2build1 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org dev.gnupg.org errata.almalinux.org errata.rockylinux.org github.com gitlab.com linux.oracle.com linux.oracle.com lists.gnupg.org nvd.nist.gov www.cve.org
LOW	CVE-2025-5222: icu: Stack buffer overflow in the SRBRoot::addTag function A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution. Package Name: libicu74 Installed Version: 74.2-1ubuntu3.1 Fixed Version: References: access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org linux.oracle.com linux.oracle.com lists.debian.org nvd.nist.gov unicode-org.atlassian.net www.cve.org
LOW	CVE-2024-56433: shadow-utils: Default subordinate ID configuration in /etc/login.defs could lead to compromise shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid. Package Name: login Installed Version: 1:4.13+dfsg1-4ubuntu3.2 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com linux.oracle.com linux.oracle.com nvd.nist.gov www.cve.org
LOW	CVE-2024-56433: shadow-utils: Default subordinate ID configuration in /etc/login.defs could lead to compromise shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid. Package Name: passwd Installed Version: 1:4.13+dfsg1-4ubuntu3.2 Fixed Version: References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com linux.oracle.com linux.oracle.com nvd.nist.gov www.cve.org

Package statistics are no longer available on cloudsmith.io. Please visit our new web app to access this feature.

You can embed a badge in another website that shows this or the latest version of this package.

To embed the badge for this specific package version, use the following:

[![This version of 'kurrentdb' @ Cloudsmith](https://api.cloudsmith.com/v1/badges/version/eventstore/kurrent-latest/docker/kurrentdb/26.1/a=amd64;xpo=linux/?render=true)](https://cloudsmith.io/~eventstore/repos/kurrent-latest/packages/detail/docker/kurrentdb/2faf9a47e8986b5cb3177456cf8d09976d1ebd750ce2bb8e8c158ec4e61fac4f/a=amd64;xpo=linux/)

|This version of 'kurrentdb' @ Cloudsmith|
.. |This version of 'kurrentdb' @ Cloudsmith| image:: https://api.cloudsmith.com/v1/badges/version/eventstore/kurrent-latest/docker/kurrentdb/26.1/a=amd64;xpo=linux/?render=true
   :target: https://cloudsmith.io/~eventstore/repos/kurrent-latest/packages/detail/docker/kurrentdb/2faf9a47e8986b5cb3177456cf8d09976d1ebd750ce2bb8e8c158ec4e61fac4f/a=amd64;xpo=linux/

image::https://api.cloudsmith.com/v1/badges/version/eventstore/kurrent-latest/docker/kurrentdb/26.1/a=amd64;xpo=linux/?render=true[link="https://cloudsmith.io/~eventstore/repos/kurrent-latest/packages/detail/docker/kurrentdb/2faf9a47e8986b5cb3177456cf8d09976d1ebd750ce2bb8e8c158ec4e61fac4f/a=amd64;xpo=linux/",title="This version of 'kurrentdb' @ Cloudsmith"]

<a href="https://cloudsmith.io/~eventstore/repos/kurrent-latest/packages/detail/docker/kurrentdb/2faf9a47e8986b5cb3177456cf8d09976d1ebd750ce2bb8e8c158ec4e61fac4f/a=amd64;xpo=linux/"><img src="https://api.cloudsmith.com/v1/badges/version/eventstore/kurrent-latest/docker/kurrentdb/26.1/a=amd64;xpo=linux/?render=true" alt="This version of 'kurrentdb' @ Cloudsmith" /></a>

rendered as:

To embed the badge for the latest package version, use the following:

[![Latest version of 'kurrentdb' @ Cloudsmith](https://api.cloudsmith.com/v1/badges/version/eventstore/kurrent-latest/docker/kurrentdb/latest/a=amd64;xpo=linux/?render=true&show_latest=true)](https://cloudsmith.io/~eventstore/repos/kurrent-latest/packages/detail/docker/kurrentdb/latest/a=amd64;xpo=linux/)

|Latest version of 'kurrentdb' @ Cloudsmith|
.. |Latest version of 'kurrentdb' @ Cloudsmith| image:: https://api.cloudsmith.com/v1/badges/version/eventstore/kurrent-latest/docker/kurrentdb/latest/a=amd64;xpo=linux/?render=true&show_latest=true
   :target: https://cloudsmith.io/~eventstore/repos/kurrent-latest/packages/detail/docker/kurrentdb/latest/a=amd64;xpo=linux/

image::https://api.cloudsmith.com/v1/badges/version/eventstore/kurrent-latest/docker/kurrentdb/latest/a=amd64;xpo=linux/?render=true&show_latest=true[link="https://cloudsmith.io/~eventstore/repos/kurrent-latest/packages/detail/docker/kurrentdb/latest/a=amd64;xpo=linux/",title="Latest version of 'kurrentdb' @ Cloudsmith"]

<a href="https://cloudsmith.io/~eventstore/repos/kurrent-latest/packages/detail/docker/kurrentdb/latest/a=amd64;xpo=linux/"><img src="https://api.cloudsmith.com/v1/badges/version/eventstore/kurrent-latest/docker/kurrentdb/latest/a=amd64;xpo=linux/?render=true&show_latest=true" alt="Latest version of 'kurrentdb' @ Cloudsmith" /></a>

rendered as:

These instructions assume you have setup the repository first (or read it).

To pull kurrentdb @ reference/tag latest:

docker pull docker.eventstore.com/kurrent-latest/kurrentdb:latest

To refer to this image after pulling in a Dockerfile, specify the following:

FROM docker.eventstore.com/kurrent-latest/kurrentdb:latest

Note: You should replace latest with an alternative reference to pull, such as: 26.1, 26.1.0, b5e1563a-6a74-4754-a5cc-ffcdd7f19921 and 26.1.0-x64-10.0-noble.

Still stuck? Need help? Don't panic. Just contact us for help (even if you're not a customer).

Previous Version: 26.0.3

Next Version

kurrentdb 26.1

One-liner (summary)

Description

License

Size

Downloads

Tags

Last scanned

Scan result

Vulnerability count

Max. severity

CVE-2026-27456: util-linux: TOCTOU in the mount program when setting up loop devices

CVE-2026-2219: It was discovered that dpkg-deb (a component of dpkg, the Debian packa ...

CVE-2026-27456: util-linux: TOCTOU in the mount program when setting up loop devices

CVE-2026-4046: glibc: glibc: Denial of Service via iconv() function with specific character sets

CVE-2026-4437: glibc: glibc: Incorrect DNS response parsing via crafted DNS server response

CVE-2026-4438: glibc: glibc: Invalid DNS hostname returned via gethostbyaddr functions

CVE-2026-4046: glibc: glibc: Denial of Service via iconv() function with specific character sets

CVE-2026-4437: glibc: glibc: Incorrect DNS response parsing via crafted DNS server response

CVE-2026-4438: glibc: glibc: Invalid DNS hostname returned via gethostbyaddr functions

CVE-2026-27456: util-linux: TOCTOU in the mount program when setting up loop devices

CVE-2026-27456: util-linux: TOCTOU in the mount program when setting up loop devices

CVE-2026-27456: util-linux: TOCTOU in the mount program when setting up loop devices

CVE-2026-27456: util-linux: TOCTOU in the mount program when setting up loop devices

CVE-2025-45582: tar: Tar path traversal

CVE-2026-5704: tar: tar: Hidden file injection via crafted archives

CVE-2026-27456: util-linux: TOCTOU in the mount program when setting up loop devices

CVE-2024-2236: libgcrypt: vulnerable to Marvin Attack

CVE-2025-5222: icu: Stack buffer overflow in the SRBRoot::addTag function

CVE-2024-56433: shadow-utils: Default subordinate ID configuration in /etc/login.defs could lead to compromise

CVE-2024-56433: shadow-utils: Default subordinate ID configuration in /etc/login.defs could lead to compromise